Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Information

Product             : CWP Control Web Panel
Vulnerability Name  : Cross Site Scripting
version             : 0.9.8.837
Fixed on            : 0.9.8.851
Test on             : CentOS 7.6.1810 (Core)
Reference           : http://centos-webpanel.com/
                    : https://control-webpanel.com/changelog
CVE-Number          : CVE-2019-13476

Description

User add "New Mail box" with payload XSS without validation


Reproduce

  1. In user panel and browse to https://192.168.242.135:2083/cwp_1a73dced77d0eb7f/test1/?module=email_accounts or Click at Email Accounts under the Email Accounts and click it again like image below


  1. Click "Add a New MailBox"


  1. Fill the information


  1. Use BurpSuite for Intercept request then modified parameter "domain" to payloads XSS


  1. We can added email success the parameter "domain" without input validate


  1. In the List of mailbox user it's not exist after add email with xss payload, but in the admin panel added success


  1. Let's see in the panel admin Click Email --> Email Accounts we can see the xss payload


  1. Click any the button such as Change Password, Suspend, Delete XSS payload will be Executed


  1. In this example I'll tried to Click Change Password, XSS will be executed

!



Timeline

2019-06-05: Discovered the bug
2019-06-05: Reported to vendor
2019-06-05: Vender accepted the vulnerability
2019-07-17: The vulnerability has been fixed
2019-08-20: Advisory published

Discovered by

Pongtorn Angsuchotmetee
Nissana Sirijirakal 
Narin Boonwasanarak