# Title: AjentiCP 1.2.23.13 - Cross-Site Scripting # Author: Numan OZDEMIR (https://infinitumit.com.tr) # Vendor Homepage: ajenti.org # Software Link: https://github.com/ajenti/ajenti # Version: Up to v1.2.23.13 # CVE: CVE-2018-18548 # Description: # Attacker can inject JavaScript codes without Ajenti privileges by this # vulnerabillity. # Normally an attacker cant intervene to Ajenti without Ajenti privileges. # But with this vulnerability, if attacker can create a folder (may be by # a web app vulnerability) he can run # bad-purposed JavaScript codes on Ajenti user's browser, while the user # using File Manager tool. # So this vulnerability makes high risk. # How to Reproduce: 1)- Create a directory as named xss payload. Like, imdir 2)- Open this directory in File Manager tool in Ajenti server admin panel.