Lucene search
DKM1337DAY-ID-32452HistoryMar 29, 2019 - 12:00 a.m.
CentOS Web Panel 0.9.8.789 - NameServer Field Persistent Cross-Site Scripting Vulnerability
2019-03-2900:00:00
DKM
0day.today
35
Exploit for linux platform in category web applications
# Exploit Title: CentOS Web Panel 0.9.8.789 - NameServer Field Stored Cross-Site Scripting Vulnerability
# Exploit Author: DKM
# Vendor Homepage: http://centos-webpanel.com
# Software Link: http://centos-webpanel.com
# Version: 0.9.8.789
# Tested on: CentOS 7
# CVE : CVE-2019-10261
# Description:
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.789 is vulnerable to Stored/Persistent XSS for the "Name Server 1" and "Name Server 2" fields via "DNS Functions" for "Edit Nameservers IPs" action. This is because the application does not properly sanitize the users input.
# Steps to Reproduce:
1. Login into the CentOS Web Panel using admin credential.
2. From Navigation Click on "DNS Functions" -> then Click on "Edit Nameservers IPs"
3. In "Name Server 1" and "Name Server 2" field give simple payload as: <script>alert(1)</script> and Click Save Changes
4. Now one can see that the XSS Payload executed and even accessing the home page Stored XSS for nameservers executes.
# 0day.today [2019-03-30] #Related
cve
cve
CVE-2019-10261
2019-04-03 15:29:01
exploitpack
exploitpack
packetstorm
packetstorm
CentOS Web Panel 0.9.8.789 Cross Site Scripting
2019-03-29 00:00:00
nvd
nvd
CVE-2019-10261
2019-04-03 15:29:01
prion
prion
Cross site scripting
2019-04-03 15:29:00
cvelist
cvelist
CVE-2019-10261
2019-04-03 14:07:38
exploitdb
exploitdb
Related for 1337DAY-ID-32452