CVE-2019-10893

Name of the Vulnerable Software and Affected Versions CentOS Web Panel versions 0.9.8.753 through 0.9.8.793

Description The issue is related to a Stored/Persistent XSS vulnerability in the Admin Email fields on the "CWP Settings > Edit Settings" screen. This can be exploited by changing the email ID to any XSS Payload and clicking on Save Changes, resulting in the execution of the XSS Payload. The vulnerability is also described as a configuration issue related to the protection of the web page structure, which can allow a remote attacker to perform a cross-site scripting attack by modifying the administrator's email identifier.

Recommendations For versions 0.9.8.753 through 0.9.8.793, consider disabling the "Edit Settings" screen in the "CWP Settings" section until a patch is available to prevent exploitation of the Stored/Persistent XSS vulnerability. Restrict access to the administrator's email settings to minimize the risk of exploitation. Avoid using the email ID field in the affected settings screen until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.