# WHMCS Vulnerability - Latest version



## SrsX (Dec 23, 2013)

Vulnerability discovered: 21/12/2013

Vulnerability public disclosure: 23/12/2013

Versions affected: *All*

ACL: *Administrator*

Critical: Semi/Partial

POC: Configuration -> General Settings -> Company Name -> VPS">board

Warnings: From here if an attacker wants they can figure out a way to execute raw javascript, if successful the frontend (public accessable end) may be executing raw javascript inplanted by the attacker.

Reported to vender: 21/12/2013

Image:


----------



## yolo (Dec 23, 2013)

mehhh


----------



## SrsX (Dec 23, 2013)

Just discovered a more serious vulnerability on invoices.


----------



## yolo (Dec 23, 2013)

mehhh


----------



## josephb (Dec 24, 2013)

SrsX said:


> Just discovered a more serious vulnerability on invoices.


Another day, another vuln.

Shame really.


----------



## drmike (Dec 24, 2013)

JavasCRAPT.  Seriously, JS is rubbish and neverending horror.

I continue disabling and think JS spiffed sites for the most part need to think long and hard about the crap they are spewing.


----------



## NodeWest-Dan (Dec 24, 2013)

I don't understand how someone could get to your admin panel if you follow the steps on whmcs for securing and put it in a password protected directory.


----------



## SrsX (Dec 24, 2013)

&nbsp;



NodeWest-Dan said:


> I don't understand how someone could get to your admin panel if you follow the steps on whmcs for securing and put it in a password protected directory.


&nbsp;

Here is the issue - a vulnerability I reported earlier to WHMCS details a SQL injection on the clientside, if you inject that you are able to access the database, from there you can just modify things in the backend and/or read settings from the database, therefore you don't need access to the admin panel.


----------

