Easy Hosting Control Panel Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Easy Hosting Control Panel (EHCP) version 20.04.1.b. This vulnerability allows authenticated attackers to execute arbitrary JavaScript by injecting a crafted payload into the ftpusername parameter within the List All FTP User Function. The exploitation of this vulnerability could lead to session hijacking, redirection to malicious sites, defacement, or other actions performed in the context of the affected user.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject and execute malicious JavaScript in the context of the user's browser session.

Reproduction

To reproduce this vulnerability, an authenticated user can send a GET request to the 'editftpuser' operation of 'index.php' with a payload injected into the 'ftpusername' parameter. The injected script will be executed as soon as the response is received.