CentOS Web Panel 0.9.8.763 - Stored Cross-Site Scripting Vulnerability

vendor:

CentOS Web Panel

by:

DKM

4.8

CVSS

MEDIUM

Stored Cross-Site Scripting

CWE

Product Name: CentOS Web Panel

Affected Version From: v0.9.8.763

Affected Version To: v0.9.8.763

Patch Exists: YES

Related CWE: CVE-2019-7646

CPE: a:centos_webpanel:centos_webpanel:0.9.8.763

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: CentOS 7

2019

CentOS Web Panel 0.9.8.763 – Stored Cross-Site Scripting Vulnerability

A Stored Cross Site Scripting vulnerability is found in the 'Package Name' Field within the 'Add a Package (add_package)' module. This is because the application does not properly sanitize the users input.

Mitigation:

Input validation should be done to sanitize user input.

Source

Exploit-DB raw data:

# Exploit Title: CentOS Web Panel 0.9.8.763 - Stored Cross-Site Scripting Vulnerability
# Google Dork: N/A
# Date: 10 - January - 2019
# Exploit Author: DKM
# Vendor Homepage: http://centos-webpanel.com
# Software Link: http://centos-webpanel.com
# Version: v0.9.8.763 
# Tested on: CentOS 7
# CVE : CVE-2019-7646

# Description:
A Stored Cross Site Scripting vulnerability is found in the "Package Name" Field within the 'Add a Package (add_package)' module. This is because the application does not properly sanitize the users input.


# Steps to Reproduce:
1. Login into the CentOS Web Panel using admin credential.
2. From Navigation Click on "Packages" -> then Click on "Add a Package"
3. In "Package Name" field give payload as: <script>alert(1)</script> and provide other details and click on "Create"
4. Now again from Navigation Click on "Packages" -> then Click on "List Packages"
5. Now one can see that the XSS Payload executed.