CentOS Web Panel
v0.9.8.763 or Below Stored XSS Vulnerability
A Stored Cross Site Scripting (Stored XSS) Vulnerability is found in the "Package Name" Field within the "Add a Package (add_package)" module of CentOS Web Panel. This is because the application does not properly sanitize users input.
(Copy of the Homepage: http://centos-webpanel.com/features )
Steps to Reproduce:
1. Login into the CentOS Web Panel using admin credentials
2. From Navigation Click on "Packages" -> then click on "Add a Package"
3. In "Package Name" field give simple alert XSS payload and provide other details, then click on Save/Create
4. Now again from Navigation click on "Packages" -> then click on "List Packages"
5. Now the given XSS Payload will trigger confirming the presence of Stored XSS
2019 - 01 - 10
Cross Site Scripting - Persistent
Abstract Advisory Information:
Dinesh Kumar Mohanty discovered Stored XSS vulnerability in the CentOS Web Panel v0.9.8.763
CWP Product: CentOS Web Panel - (CWP) 0.9.8.763
Restricted authentication - User privileges