CtrlPanel Cross-Site Scripting Vulnerability in Ticket Priority Field
Vulnerability
A Cross-Site Scripting (XSS) vulnerability has been identified in CtrlPanel billing software for hosting providers, prior to version 1.0. The issue arises in the TicketsController and Moderation/TicketsController, where insufficient input validation on the priority field during ticket creation allows for unsanitized data to be rendered as raw HTML in the moderator panel. This vulnerability enables attackers to execute malicious scripts in the moderator's browser.
Impact
Exploitation of this vulnerability allows for stored Cross-Site Scripting, where injected scripts are executed in the context of the moderator's browser.
Reproduction
To reproduce this vulnerability, create a ticket and input a priority value that includes malicious scripts. Once the ticket is saved, the unsanitized priority value will be rendered in the moderator panel, executing the injected script.
Remediation
Users can update to CtrlPanel version 1.0 or later, which includes a patch for this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.