Description
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrator views the property editor in the admin panel, the stored values are rendered without escaping in both a paragraph tag (SOURCE field) and a textarea element (VALUE field). The XSS fires on page load without requiring any click from the admin. Additionally, the session cookie lacks the HttpOnly flag, enabling session hijack via document.cookie exfiltration. An attacker can enumerate properties via the unauthenticated /api.php/data/ endpoint and poison any property with malicious JavaScript.
Published: 2026-02-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS with potential session hijack
Action: Apply Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists on the MajorDoMo /objects/?op=set endpoint, which accepts property values without sanitization and stores them directly in the database. When an administrator opens the property editor, the unsanitized data is rendered inside a paragraph tag and a textarea on page load, automatically executing any embedded script. The vulnerability also allows an attacker, via the unauthenticated /api.php/data/ endpoint, to enumerate properties and inject malicious JSON to poison them. In addition, session cookies are transmitted without the HttpOnly flag, permitting session hijack through document.cookie exfiltration. The exposed defect therefore lets a remote unauthenticated user permanently compromise the administrator interface, potentially gaining full control over the device and its network traffic.

Affected Systems

MajorDoMo (Major Domestic Module) provided by sergejey. No specific product version numbers are listed in the CNA data; therefore any deployment where the /objects/?op=set endpoint is exposed as documented is vulnerable.

Risk and Exploitability

The vulnerability scores a CVSS of 5.3, indicating moderate severity, with an EPSS score stored in the (0%,1%) interval and absence from the CISA KEV catalog. Attackers do not require credentials; the unauthenticated property endpoint is the primary attack vector. Exploitation involves submitting a crafted property value containing JavaScript, causing arbitrary script execution when an admin loads the property editor. Given the lack of authentication and the impairing session cookie flag, the risk is significant for environments where the device is accessed remotely or managed by administrators with elevated privileges.

Generated by OpenCVE AI on April 16, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MajorDoMo to the latest release that sanitizes property inputs or patches the /objects/?op=set endpoint
  • Configure the web server to set the HttpOnly flag on the session cookie to prevent client‑side script access
  • Restrict or remove unauthenticated access to the /objects/?op=set and /api.php/data/ endpoints, either by enabling authentication or by limiting the IP addresses that can reach them

Generated by OpenCVE AI on April 16, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Mjdm
Mjdm majordomo
CPEs cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*
Vendors & Products Mjdm
Mjdm majordomo
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. User-supplied property values are stored raw in the database without sanitization. When an administrator views the property editor in the admin panel, the stored values are rendered without escaping in both a paragraph tag (SOURCE field) and a textarea element (VALUE field). The XSS fires on page load without requiring any click from the admin. Additionally, the session cookie lacks the HttpOnly flag, enabling session hijack via document.cookie exfiltration. An attacker can enumerate properties via the unauthenticated /api.php/data/ endpoint and poison any property with malicious JavaScript.
Title MajorDoMo Stored Cross-Site Scripting via Property Set Endpoint
First Time appeared Sergejey
Sergejey majordomo
Weaknesses CWE-79
CPEs cpe:2.3:a:sergejey:majordomo:*:*:*:*:*:*:*:*
Vendors & Products Sergejey
Sergejey majordomo
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mjdm Majordomo
Sergejey Majordomo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:12.655Z

Reserved: 2026-02-18T15:22:30.053Z

Link: CVE-2026-27177

cve-icon Vulnrichment

Updated: 2026-02-20T19:27:37.352Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T22:16:25.610

Modified: 2026-02-20T20:00:36.277

Link: CVE-2026-27177

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses