CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2019-14228

Xavier PHP Management Panel 3.0 is vulnerable to Reflected POST-based XSS via the username parameter when registering a new user at admin/includes/adminprocess.php. If there is an error when registering the user, the unsanitized username will reflect via the error page. Due to the lack of CSRF protection on the admin/includes/adminprocess.php endpoint, an attacker is able to chain the XSS with CSRF in order to cause remote exploitation.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.001

EPSS Ranking 30.6%

CVSS Severity

CVSS v3 Score 6.1

CVSS v2 Score 4.3

References

https://codecanyon.net/item/xavier-php-login-script-user-management/9146226
https://m-q-t.github.io/notes/xavier-csrf-to-xss-takeover/
https://codecanyon.net/item/xavier-php-login-script-user-management/9146226
https://m-q-t.github.io/notes/xavier-csrf-to-xss-takeover/

Products affected by CVE-2019-14228

Angry-Frog » Xavier » Version: 3.0

cpe:2.3:a:angry-frog:xavier:3.0

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2019-14228

Products

Pricing

Contact Us