CVE-2019-11193

MEDIUM

DirectAdmin < 1.561 - Cross-Site Scripting via FileManager CMD_FILE_MANAGER Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-11193. PoCs published by InfinitumIT.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in DirectAdmin up to v1.561, including XSS and CSRF, which can be chained to achieve RCE, add administrators, and manipulate files. The PoC includes JavaScript snippets for exploiting these vulnerabilities via XMLHttpRequest.

Description

The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel.

Exploits (1)

exploitdb WORKING POC
by InfinitumIT · textwebappsphp
https://www.exploit-db.com/exploits/46694

This exploit demonstrates multiple vulnerabilities in DirectAdmin up to v1.561, including XSS and CSRF, which can be chained to achieve RCE, add administrators, and manipulate files. The PoC includes JavaScript snippets for exploiting these vulnerabilities via XMLHttpRequest.

Classification
Working Poc 90%
Attack Type
Xss | Auth Bypass | Rce
Complexity
Moderate
Reliability
Reliable
Target: DirectAdmin <= v1.561
Auth required
Prerequisites: Access to a DirectAdmin session (e.g., via XSS or stolen credentials) · Network access to the DirectAdmin interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, Broken Link x_refsource_misc
https://numanozdemir.com/respdisc/directadmin.pdf
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/152494/DirectAdmin-1.561-Cross-Site-Scripting.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46694

Scores

CVSS v3 6.1
EPSS 0.0209
EPSS Percentile 79.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-352 CWE-79
Status published
Products (1)
directadmin/directadmin < 1.561
Published Apr 30, 2019
Tracked Since Feb 18, 2026