Moderate severityNVD Advisory· Published Apr 30, 2014· Updated May 6, 2026
CVE-2014-2260
CVE-2014-2260
Description
Cross-site scripting (XSS) vulnerability in plugins/main/content/js/ajenti.coffee in Eugene Pankov Ajenti 1.2.13 allows remote authenticated users to inject arbitrary web script or HTML via the command field in the Cron functionality.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ajentiPyPI | < 1.2.15 | 1.2.15 |
Affected products
1Patches
23 files changed · +9 −4
ajenti/plugins/main/content/js/ajenti.coffee+6 −2 modified@@ -322,8 +322,12 @@ class window.Control s: (value) -> - # TODO SANITIZE! - value + ('' + value) /* Forces the conversion to string. */ + .replace(/&/g, '&') /* This MUST be the 1st replacement. */ + .replace(/'/g, ''') /* The 4 other predefined entities, required. */ + .replace(/"/g, '"') + .replace(/</g, '<') + .replace(/>/g, '>') createDom: () -> ""
ajenti/plugins/main/content/js/controls.binding.coffee+2 −1 modified@@ -6,4 +6,5 @@ class window.Controls.bind__template extends window.Control setupDom: (dom) -> super(dom) if @children.length > 0 - @dom = @children[0].dom \ No newline at end of file + @dom = @children[0].dom + @properties = @children[0].properties \ No newline at end of file
ajenti/plugins/main/content/js/controls.inputs.coffee+1 −1 modified@@ -231,7 +231,7 @@ class window.Controls.fileupload extends window.Control super(dom) @progress = new window.Controls.progressbar(@ui, {}, []) $(@dom).find('.pb').append($(@progress.dom)) - @input = @dom.find('input')[0] + @input = $(@dom).find('input')[0] @input.addEventListener 'change', (e) => file = @input.files[0] xhr = new XMLHttpRequest()
3 files changed · +9 −4
ajenti/plugins/main/content/js/ajenti.coffee+6 −2 modified@@ -322,8 +322,12 @@ class window.Control s: (value) -> - # TODO SANITIZE! - value + ('' + value) /* Forces the conversion to string. */ + .replace(/&/g, '&') /* This MUST be the 1st replacement. */ + .replace(/'/g, ''') /* The 4 other predefined entities, required. */ + .replace(/"/g, '"') + .replace(/</g, '<') + .replace(/>/g, '>') createDom: () -> ""
ajenti/plugins/main/content/js/controls.binding.coffee+2 −1 modified@@ -6,4 +6,5 @@ class window.Controls.bind__template extends window.Control setupDom: (dom) -> super(dom) if @children.length > 0 - @dom = @children[0].dom \ No newline at end of file + @dom = @children[0].dom + @properties = @children[0].properties \ No newline at end of file
ajenti/plugins/main/content/js/controls.inputs.coffee+1 −1 modified@@ -231,7 +231,7 @@ class window.Controls.fileupload extends window.Control super(dom) @progress = new window.Controls.progressbar(@ui, {}, []) $(@dom).find('.pb').append($(@progress.dom)) - @input = @dom.find('input')[0] + @input = $(@dom).find('input')[0] @input.addEventListener 'change', (e) => file = @input.files[0] xhr = new XMLHttpRequest()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- packetstormsecurity.com/files/124804/Ajenti-1.2.13-Cross-Site-Scripting.htmlnvdExploitWEB
- github.com/Eugeny/ajenti/commit/3270fd1d78391bb847b4c9ce37cf921f485b1310nvdExploitPatchWEB
- github.com/advisories/GHSA-9crx-p357-5vw8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-2260ghsaADVISORY
- github.com/Eugeny/ajenti/issues/233nvdWEB
- github.com/ajenti/ajenti/commit/3270fd1d78391bb847b4c9ce37cf921f485b1310ghsaWEB
- github.com/ajenti/ajenti/issues/233ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/ajenti/PYSEC-2014-98.yamlghsaWEB
- web.archive.org/web/20200229062920/http://www.securityfocus.com/bid/64982ghsaWEB
- www.osvdb.org/102174nvd
- www.securityfocus.com/bid/64982nvd
News mentions
0No linked articles in our index yet.