Lucene search
Pongtorn AngsuchotmeteePACKETSTORM:154990HistoryOct 25, 2019 - 12:00 a.m.
CWP 0.9.8.885 Cross Site Scripting
2019-10-2500:00:00
Pongtorn Angsuchotmetee
packetstormsecurity.com
115
0.0004 Low
EPSS
Percentile
5.1%
`# Exploit Title: CWP (CentOS Control Web Panel) Store Cross Site Scripting
# Date: 25 Oct 2019
# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
# Vendor Homepage: https://control-webpanel.com/
# Version: 0.9.8.885
# CVE : CVE-2019-16295
+++++++++++++++++++++++++++++++++
# Description:
+++++++++++++++++++++++++++++++++
User can add XSS payload in Directory Name , Filename , file extension in function "File Manager"
+++++++++++++++++++++++++++++++++
# Steps to Reproduce
+++++++++++++++++++++++++++++++++
1. In user panel go to File Management --> File Manager
2. Go to "Create Directory" or "Create File" and insert XSS payload "<img src=x onerror=javascript:alert(document.cookie)>"
3. XSS will trigger.
+++++++++++++++++++++++++++++++++
# PoC
+++++++++++++++++++++++++++++++++
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-16295.md
+++++++++++++++++++++++++++++++++
# Timeline
+++++++++++++++++++++++++++++++++
2019-07-19: Discovered the bug
2019-07-19: Reported to vendor
2019-07-23: Vender accepted the vulnerability
2019-10-23: The vulnerability has been fixed
2019-10-25: Advisory published
+++++++++++++++++++++++++++++++++
# Discovered by
+++++++++++++++++++++++++++++++++
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak
`
Related
cve
cve
CVE-2019-16295
2019-10-31 21:15:13
cvelist
cvelist
CVE-2019-16295
2019-10-31 20:59:30
nvd
nvd
CVE-2019-16295
2019-10-31 21:15:13
prion
prion
Cross site scripting
2019-10-31 21:15:00