AjentiCP 跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1362210 漏洞类型 跨站脚本
发布时间 2018-10-25 更新时间 2018-10-25
CVE编号 CVE-2018-18548 CNNVD-ID CNNVD-201810-1129
漏洞平台 PHP CVSS评分 N/A
AjentiCP是一款主机管理面板。 AjentiCP及之前版本中存在跨站脚本漏洞。远程攻击者可利用该漏洞在用户浏览器中执行恶意的JavaScript代码。
# Title: AjentiCP - Cross-Site Scripting
# Author: Numan OZDEMIR (https://infinitumit.com.tr)
# Vendor Homepage: ajenti.org
# Software Link: https://github.com/ajenti/ajenti
# Version: Up to v1.2.23.13
# CVE: CVE-2018-18548

# Description:

# Attacker can inject JavaScript codes without Ajenti privileges by this
# vulnerabillity.
# Normally an attacker cant intervene to Ajenti without Ajenti privileges.
# But with this vulnerability, if attacker can create a folder (may be by
# a web app vulnerability) he can run
# bad-purposed JavaScript codes on Ajenti user's browser, while the user
# using File Manager tool.
# So this vulnerability makes high risk.

# How to Reproduce:
1)- Create a directory as named xss payload. Like, im<img src onerror=alert(1337)>dir
2)- Open this directory in File Manager tool in Ajenti server admin panel.