DirectAdmin v1.680 DOM Injection via return-to Parameter (CVE-2025-56561)

Key Information Vulnerability Details Vulnerability Title: DirectAdmin v1.680 DOM Injection via return-to Parameter (UI Misrepresentation) CVE ID: CVE-2025-56561 Risk Level: Medium Affected Versions: DirectAdmin v1.680 and earlier versions Vulnerability Description DirectAdmin v1.680 contains a user interface manipulation vulnerability, exploitable by injecting content into the parameter of the Evolution login page. The application directly reflects the user-supplied value from the query string into the visible DOM without any sanitization, escaping, or length restrictions. This allows attackers to inject large amounts of visible text into the login interface, pushing legitimate UI elements (such as username and password fields) completely out of view. Reproduction Steps 1. Access: 2. Append a carefully crafted payload after the slash, for example: 3. Use percent-encoded payloads containing dozens or hundreds of hyphens (-) or equivalents, along with percent-encoded content simulating warning messages or phishing text. 4. Upon rendering, the application displays the attacker’s message alongside the login interface, while pushing the original login form out of the visible viewport, preventing user interaction. Impact Legitimate login fields become invisible Users are presented with interface content controlled by the attacker Creates opportunities for phishing or credential theft Injected content may be indexed by search engines or archived, leading to reputational or SEO-related damage Exploitation requires no authentication; triggered via a simple GET request CWE CWE-451: User Interface (UI) Misrepresentation of Critical Information

Goal Reached Thanks to every supporter — we hit 100%!

DirectAdmin v1.680 DOM Injection via return-to Parameter (CVE-2025-56561)