Description
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as ThisComputer.VolumeLevelChanged pass the user-supplied VALUE parameter directly into the say() function, which stores the message raw in the shouts database table without escaping. The shoutbox widget renders stored messages without sanitization in both PHP rendering code and HTML templates. Because the dashboard widget auto-refreshes every 3 seconds, the injected script executes automatically when any administrator loads the dashboard, enabling session hijack through cookie exfiltration.
Published: 2026-02-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting enabling session hijack
Action: Patch immediately
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in MajorDoMo. The /objects/?method= endpoint accepts attacker‑controlled parameters without validation, and default methods such as ThisComputer.VolumeLevelChanged forward the supplied VALUE directly to the say() function. This value is stored in the shouts database table unescaped. The shoutbox widget then renders these messages without sanitization, meaning any injected script runs automatically when an administrator visits the dashboard. This allows delivery of malicious code that can exfiltrate session cookies, enabling session hijack.

Affected Systems

MajorDoMo, also known as Major Domestic Module, provided by sergejey. The CVE does not specify a restricted version range, so all installations that include the affected shoutbox functionality are potentially impacted. The flaw exists in the web interface that serves the dashboard and shoutbox widget.

Risk and Exploitability

The flaw scores 5.3 on the CVSS scale and has an EPSS of less than 1 %. It is not listed in the CISA KEV catalog. An attacker can exploit the issue remotely by injecting malicious HTML into the shoutbox via the public /objects/?method= endpoint. The payload will run automatically on the next dashboard refresh, which occurs every three seconds, meaning an attacker only needs an administrator to view the dashboard to succeed. Although the flaw requires the victim to have an authenticated session, the impact is modest but could lead to session hijack if the administrator’s session cookie is stolen. The low exploitation probability reflects the specific angle needed for success.

Generated by OpenCVE AI on April 16, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MajorDoMo to the latest version where the shoutbox XSS issue has been patched.
  • If an upgrade is not feasible, modify the say() function or database layer to escape the VALUE parameter before storing or rendering it.
  • Restrict the shoutbox widget to authenticated administrators and disable its auto‑refresh feature, or apply a Content Security Policy that blocks inline scripts and disallows script execution in the widget.

Generated by OpenCVE AI on April 16, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mjdm
Mjdm majordomo
CPEs cpe:2.3:a:mjdm:majordomo:-:*:*:*:*:*:*:*
Vendors & Products Mjdm
Mjdm majordomo

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as ThisComputer.VolumeLevelChanged pass the user-supplied VALUE parameter directly into the say() function, which stores the message raw in the shouts database table without escaping. The shoutbox widget renders stored messages without sanitization in both PHP rendering code and HTML templates. Because the dashboard widget auto-refreshes every 3 seconds, the injected script executes automatically when any administrator loads the dashboard, enabling session hijack through cookie exfiltration.
Title MajorDoMo Stored Cross-Site Scripting via Method Parameters to Shoutbox
First Time appeared Sergejey
Sergejey majordomo
Weaknesses CWE-79
CPEs cpe:2.3:a:sergejey:majordomo:*:*:*:*:*:*:*:*
Vendors & Products Sergejey
Sergejey majordomo
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mjdm Majordomo
Sergejey Majordomo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:13.513Z

Reserved: 2026-02-18T15:22:30.053Z

Link: CVE-2026-27178

cve-icon Vulnrichment

Updated: 2026-02-20T19:02:16.530Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T22:16:25.790

Modified: 2026-02-20T19:58:33.253

Link: CVE-2026-27178

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses