# Exploit Title: CentOS Web Panel 0.9.8.763 - Stored Cross-Site Scripting Vulnerability# Google Dork: N/A# Date: 10 - January - 2019# Exploit Author: DKM# Vendor Homepage: http://centos-webpanel.com# Software Link: http://centos-webpanel.com# Version: v0.9.8.763 # Tested on: CentOS 7# CVE : CVE-2019-7646# Description:
A Stored Cross Site Scripting vulnerability is found in the "Package Name" Field within the 'Add a Package (add_package)' module. This is because the application does not properly sanitize the users input.
# Steps to Reproduce:1. Login into the CentOS Web Panel using admin credential.
2. From Navigation Click on "Packages" ->then Click on "Add a Package"3. In "Package Name" field give payload as: <script>alert(1)</script> and provide other details and click on "Create"4. Now again from Navigation Click on "Packages" ->then Click on "List Packages"5. Now one can see that the XSS Payload executed.
