# Exploit Title: CentOS Web Panel - Domain Field (Add DNS Zone) Cross-Site Scripting Vulnerability # Google Dork: N/A # Date: 22 - April - 2019 # Exploit Author: DKM # Vendor Homepage: http://centos-webpanel.com # Software Link: http://centos-webpanel.com # Version: v0.9.8.793 (Free), v0.9.8.753 (Pro) and 0.9.8.807 (Pro) # Tested on: CentOS 7 # CVE : CVE-2019-11429 # Description: CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version), 0.9.8.753 (Pro) and 0.9.8.807 (Pro) is vulnerable to Reflected XSS for the "Domain" field on the "DNS Functions > "Add DNS Zone" screen. # Steps to Reproduce: 1. Login into the CentOS Web Panel using admin credential. 2. From Navigation Click on "DNS Functions" > "Add DNS Zone" 3. In "Domain" field give simple payload as: "<script>alert(1)</script>//" , fill other details like IP and Admin Email and Click "Add DNS zone" 4. Now one can see that the XSS Payload executed.