AjentiCP 1.2.23.13 – Cross-Site Scripting

• Exploit Database
• 110 阅读

• 作者： Numan OZDEMIR
  日期： 2018-10-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45691/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

  # Title: AjentiCP 1.2.23.13 - Cross-Site Scripting # Author: Numan OZDEMIR (https://infinitumit.com.tr) # Vendor Homepage: ajenti.org # Software Link: https://github.com/ajenti/ajenti # Version: Up to v1.2.23.13 # CVE: CVE-2018-18548   # Description:   # Attacker can inject JavaScript codes without Ajenti privileges by this # vulnerabillity. # Normally an attacker cant intervene to Ajenti without Ajenti privileges. # But with this vulnerability, if attacker can create a folder (may be by # a web app vulnerability) he can run # bad-purposed JavaScript codes on Ajenti user&apos;s browser, while the user # using File Manager tool. # So this vulnerability makes high risk.   # How to Reproduce: 1)- Create a directory as named xss payload. Like, im<img src onerror=alert(1337)>dir 2)- Open this directory in File Manager tool in Ajenti server admin panel.