CVE-2014-2260 – Ajenti 1.2.13 Cross Site Scripting

About the software

Ajenti is a server administration panel for Linux and FreeBSD.

Vulnerability Details

projectzero labs identified a stored (persistent) cross site scripting vulnerability that affects many of the forms in the ajenti web panel. The vulnerability exists because some data inputs are not properly sanitized and this can lead to malicious code injection that will be executed on the target’s browser.

Report & Proof Of Concept

A detailed report with screenshots as Proof Of Concept can be found in the software’s bug tracker

Vendor has already informed and committed a quick patch

Payload

As payloads we tested the classic alert popup and the url redirection to google:

<script>alert(“XSS”);</script>
<script>window.location = “http://google.com”</script>

For example a vulnerable form is the: System > Cron > Command field
For more information there are some screenshots available in the github bug report

Severity

Medium

Author

Filippos Mastrogiannis

External Links

CVE
NVD
≈ Packet Storm

projectzero2014-001-ajentixss

Comments are closed.