Dkm

**Name of the Vulnerable Software and Affected Versions** CentOS Web Panel versions 0.9.8.753 through 0.9.8.807, 0.9.8.793 **Description** The issue concerns a Reflected XSS vulnerability related to the "Domain" field on the "DNS Functions > Add DNS Zone" screen. **Recommendations** For versions 0.9.8.753 through 0.9.8.807, and 0.9.8.793, consider restricting access to the "Add DNS Zone" screen until a fix is available. As a temporary workaround, avoid using the "Domain" field in the "Add DNS Zone" screen to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CentOS Web Panel versions 0.9.8.753 through 0.9.8.793 **Description** The issue is related to a Stored/Persistent XSS vulnerability in the Admin Email fields on the "CWP Settings > Edit Settings" screen. This can be exploited by changing the email ID to any XSS Payload and clicking on Save Changes, resulting in the execution of the XSS Payload. The vulnerability is also described as a configuration issue related to the protection of the web page structure, which can allow a remote attacker to perform a cross-site scripting attack by modifying the administrator's email identifier. **Recommendations** For versions 0.9.8.753 through 0.9.8.793, consider disabling the "Edit Settings" screen in the "CWP Settings" section until a patch is available to prevent exploitation of the Stored/Persistent XSS vulnerability. Restrict access to the administrator's email settings to minimize the risk of exploitation. Avoid using the `email ID` field in the affected settings screen until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CentOS Web Panel version 0.9.8.789 **Description** The issue concerns a Stored/Persistent XSS vulnerability in the DNS Functions component of the application, specifically affecting the "Name Server 1" and "Name Server 2" fields via the "Edit Nameservers IPs" action. This vulnerability can be exploited by a remote attacker to perform cross-site scripting. **Recommendations** For CentOS Web Panel version 0.9.8.789, as a temporary workaround, consider restricting access to the DNS Functions component, specifically the "Edit Nameservers IPs" action, to minimize the risk of exploitation. Avoid using the `Name Server 1` and `Name Server 2` fields in the affected DNS Functions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CentOS Web Panel versions through 0.9.8.763 **Description** The issue concerns a Stored/Persistent XSS vulnerability. It affects the `add package` module, specifically the `Package Name` field. This allows for potential exploitation via the module parameter. **Recommendations** For versions through 0.9.8.763, as a temporary workaround, consider restricting access to the `add package` module until a patch is available. Avoid using the `Package Name` field in the affected module to minimize the risk of exploitation.