CVE-2019-14228

Name of the Vulnerable Software and Affected Versions Xavier PHP Management Panel version 3.0

Description The issue concerns a Reflected POST-based XSS that occurs via the username parameter when registering a new user at the "admin/includes/adminprocess.php" endpoint. If an error occurs during user registration, the unsanitized username will be reflected back via the error page. Additionally, the lack of CSRF protection on this endpoint allows an attacker to chain the XSS with CSRF, enabling remote exploitation.

Recommendations For Xavier PHP Management Panel version 3.0, consider implementing proper input sanitization for the username parameter and adding CSRF protection to the "admin/includes/adminprocess.php" endpoint to prevent exploitation. As a temporary workaround, restrict access to the admin/includes/adminprocess.php endpoint to minimize the risk of exploitation.