Tuesday, March 5, 2024

Multiple Persistent XSS vulnerabilities in CentOS Web Panel

CentOS Web Panel is a Linux based web panel like Cpanel or Plesk and it has a couple of features for server management.

A Client-Side XSS vulnerability detected with CentOS Web Panel Version 0.9.8.12, allows an attacker to inject remote codes into the client-side browser to application requests.

With XSS vulnerability attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site.

The vulnerabilities are located in the `id` and `email_address` parameters of the `index.php` file POST method request. Remote attackers are able to inject script code to the POST method request to manipulate the item listing output context. The request method to inject is POST and the attack vector is persistent on the application-side. The injection points are the both add POST method requests and the execution point occurs in the output location of both modules.

Security Researchers from vulnerability laboratory detected the vulnerability, it allows an attacker to hijack the sessions, Phishing attacks, malicious external redirects.

Also Read All Versions of ASUS Routers Affected by Multiple Vulnerabilities that Allows to Gain Complete Router Access

The vulnerability is categorized as a medium one and the exploitation requires no privileged web-application user account and low user interaction. Researchers published a PoC explaining the vulnerability.

Mitigations – CentOS Web Panel

  • Researchers suggested sanitizing in the vulnerable `id` and `email address` parameters of the index.php file.
  • Disallow special characters and parameter inputs.
Website

Latest articles

GTPDOOR – Previously Unknown Linux Malware Attack Telecom Networks

Researchers have discovered a new backdoor named GTPDOOR that targets telecommunication network systems within...

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles