CVE-2026-27177
📋 TL;DR
MajorDoMo contains an unauthenticated stored XSS vulnerability that allows attackers to inject malicious JavaScript into property values. When administrators view the property editor, the malicious code executes automatically, potentially leading to session hijacking since cookies lack HttpOnly protection. All MajorDoMo instances with the vulnerable endpoint accessible are affected.
💻 Affected Systems
- MajorDoMo (Major Domestic Module)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of admin accounts leading to full system takeover, data exfiltration, and lateral movement within the network.
Likely Case
Session hijacking of admin accounts, allowing attackers to modify system configurations, install backdoors, or access sensitive IoT device data.
If Mitigated
Limited impact with proper network segmentation and admin account monitoring, though XSS could still execute in admin context.
🎯 Exploit Status
Attackers can enumerate properties via /api.php/data/ endpoint and inject payloads without authentication. The XSS fires automatically on admin page load.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check pull request #1177 for specific version
Vendor Advisory: https://github.com/sergejey/majordomo/pull/1177
Restart Required: No
Instructions:
1. Update to the patched version from the official repository. 2. Apply the fix that adds proper input sanitization and output escaping. 3. Verify the /objects/?op=set endpoint now validates and sanitizes input.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to the /objects/?op=set endpoint to trusted IoT devices only using firewall rules or web server configuration.
# Example nginx location block
location /objects/ {
allow 192.168.1.0/24;
deny all;
}
Add HttpOnly Flag to Session Cookies
allConfigure the application to set HttpOnly flag on session cookies to prevent JavaScript access.
# In PHP configuration
session.cookie_httponly = 1
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Deploy a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads.
🔍 How to Verify
Check if Vulnerable:
Test if you can submit unauthenticated POST requests to /objects/?op=set with malicious payloads that persist and execute in the admin panel.Check Version:
Check the MajorDoMo version in the admin panel or configuration files.Verify Fix Applied:
Verify that input to /objects/?op=set is properly sanitized and that output in the admin panel is HTML-encoded.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /objects/?op=set endpoint
- JavaScript payloads in property value fields
- Multiple property enumeration requests to /api.php/data/
Network Indicators:
- Unusual traffic patterns to the vulnerable endpoints from untrusted sources
- Suspicious JavaScript in HTTP POST parameters
SIEM Query:
source="web_server" AND (url="/objects/?op=set" OR url="/api.php/data/") AND (method="POST" OR status=200)