Eugene Ajenti 'respond_error' Multiple Cross-Site Scripting Vulnerabilities Network Vulnerability

Summary

This host is installed with Eugene Ajenti and is prone to multiple cross-site scripting vulnerability.

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to Eugene Pankov Ajenti version 1.2.21.7 or later, For updates refer to http://ajenti.org

Insight

The flaws exist due to 'respond_error' function in routing.py which does not validate input passed via the URL to resources.js and resources.css before returning it to users.

Affected

Eugene Pankov Ajenti before version 1.2.21.7

Detection

Send a crafted data via HTTP GET request and check whether it is able to read cookie or not.

References

http://www.osvdb.com/108046
http://xforce.iss.net/xforce/xfdb/93903
https://www.netsparker.com/critical-xss-vulnerabilities-in-ajenti

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-4301
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apache CouchDB Cross Site Request Forgery Vulnerability
Apache OFBiz Multiple Cross Site Scripting Vulnerabilities
Aardvark Topsites <= 4.2.2 Remote File Inclusion Vulnerability
Apache Tomcat cal2.jsp Cross Site Scripting Vulnerability
Apache Web Server ETag Header Information Disclosure Weakness

Take action and discover your vulnerabilities