# Exploit Title: CentOS Web Panel 0.9.8.763 - Stored Cross-Site Scripting Vulnerability # Google Dork: N/A # Date: 10 - January - 2019 # Exploit Author: DKM # Vendor Homepage: http://centos-webpanel.com # Software Link: http://centos-webpanel.com # Version: v0.9.8.763 # Tested on: CentOS 7 # CVE : CVE-2019-7646 # Description: A Stored Cross Site Scripting vulnerability is found in the "Package Name" Field within the 'Add a Package (add_package)' module. This is because the application does not properly sanitize the users input. # Steps to Reproduce: 1. Login into the CentOS Web Panel using admin credential. 2. From Navigation Click on "Packages" -> then Click on "Add a Package" 3. In "Package Name" field give payload as: <script>alert(1)</script> and provide other details and click on "Create" 4. Now again from Navigation Click on "Packages" -> then Click on "List Packages" 5. Now one can see that the XSS Payload executed.