CentOS Web Panel 0.9.8.763 – Persistent Cross-Site Scripting

• Exploit Database
• 22 阅读

• 作者： DKM
  日期： 2019-02-11
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/46349/

• # Exploit Title: CentOS Web Panel 0.9.8.763 - Stored Cross-Site Scripting Vulnerability
  # Google Dork: N/A
  # Date: 10 - January - 2019
  # Exploit Author: DKM
  # Vendor Homepage: http://centos-webpanel.com
  # Software Link: http://centos-webpanel.com
  # Version: v0.9.8.763 
  # Tested on: CentOS 7
  # CVE : CVE-2019-7646
  
  # Description:
  A Stored Cross Site Scripting vulnerability is found in the "Package Name" Field within the 'Add a Package (add_package)' module. This is because the application does not properly sanitize the users input.
  
  
  # Steps to Reproduce:
  1. Login into the CentOS Web Panel using admin credential.
  2. From Navigation Click on "Packages" -> then Click on "Add a Package"
  3. In "Package Name" field give payload as: <script>alert(1)</script> and provide other details and click on "Create"
  4. Now again from Navigation Click on "Packages" -> then Click on "List Packages"
  5. Now one can see that the XSS Payload executed.