Ajenticp 1.2.23.13 crosssite scripting Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-10-25 | Type : webapps | Platform : php
This exploit / vulnerability Ajenticp 1.2.23.13 crosssite scripting is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Title: AjentiCP 1.2.23.13 - Cross-Site Scripting
# Author: Numan OZDEMIR (https://infinitumit.com.tr)
# Vendor Homepage: ajenti.org
# Software Link: https://github.com/ajenti/ajenti
# Version: Up to v1.2.23.13
# CVE: CVE-2018-18548

# Description:

# Attacker can inject JavaScript codes without Ajenti privileges by this
# vulnerabillity.
# Normally an attacker cant intervene to Ajenti without Ajenti privileges.
# But with this vulnerability, if attacker can create a folder (may be by
# a web app vulnerability) he can run
# bad-purposed JavaScript codes on Ajenti user's browser, while the user
# using File Manager tool.
# So this vulnerability makes high risk.

# How to Reproduce:
1)- Create a directory as named xss payload. Like, im<img src onerror=alert(1337)>dir
2)- Open this directory in File Manager tool in Ajenti server admin panel.

Ajenticp 1.2.23.13 crosssite scripting


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Ajenticp 1.2.23.13 crosssite scripting Vulnerability / Exploit