vendor:
CentOS Web Panel
by:
DKM
4.8
CVSS
MEDIUM
Cross-Site Scripting
79
CWE
Product Name: CentOS Web Panel
Affected Version From: v0.9.8.793 (Free)
Affected Version To: v0.9.8.807 (Pro)
Patch Exists: YES
Related CWE: CVE-2019-11429
CPE: a:centos-webpanel:centos_web_panel
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: CentOS 7
2019
CentOS Web Panel – Domain Field (Add DNS Zone) Cross-Site Scripting Vulnerability
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version), 0.9.8.753 (Pro) and 0.9.8.807 (Pro) is vulnerable to Reflected XSS for the 'Domain' field on the 'DNS Functions > 'Add DNS Zone' screen. To exploit this vulnerability, an attacker must login into the CentOS Web Panel using admin credentials, navigate to 'DNS Functions' > 'Add DNS Zone', and enter a malicious payload into the 'Domain' field. Upon clicking 'Add DNS Zone', the payload will be executed.
Mitigation:
To mitigate this vulnerability, administrators should ensure that all user-supplied input is properly sanitized and validated before being used in the application.
