CVE-2018-18324

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions CentOS Web Panel version 0.9.8.480

Description The issue concerns a Cross-Site Scripting (XSS) problem. It affects the fm current dir parameter in the "admin/fileManager2.php" endpoint, as well as the module, service start, service fullstatus, service restart, service stop, or file (within the file editor) parameters in the "admin/index.php" endpoint.

Recommendations For version 0.9.8.480, consider disabling the fm current dir parameter in the "admin/fileManager2.php" endpoint and the affected parameters in the "admin/index.php" endpoint until a patch is available. Restrict access to the file editor in the "admin/index.php" endpoint to minimize the risk of exploitation. Avoid using the affected parameters in the vulnerable endpoints until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-18324

Affected Products

Centos Web Panel

CVE-2018-18324

Weakness Enumeration

Related Identifiers

Affected Products

References · 6