Affected software: DirectAdmin versions below 1.60.2
There is a reflected XSS in DirectAdmin e-mail word filter (CMD_EMAIL_FILTER) "Block all e-mail containing the word" field and e-mail forwarder creation (CMD_EMAIL_FORWARDER) "Forwarder Name" field.
Update DirectAdmin to version 1.60.2 or later. Configuration option
check_referer, which is enabled by default for new installations since 1.34.5, should prevent exploitation.
- 2020-02-07 - Vulnerability reported to vendor.
- 2020-02-07 - Response from vendor and fix in pre-release binaries.
- 2020-02-08 - DirectAdmin version 1.60.2 released with vulnerability fixed.