The vulnerability in CtrlPanel (versions prior to 1.2.0) is a stored XSS caused by improper neutralization of script-related HTML tags in the admin role management interface. Specifically, the datatable() method in app/Http/Controllers/Admin/RoleController.php interpolates $role->name and $role->color directly into a <span> element's HTML and style attribute without sanitization. The DataTables .rawColumns(['actions', 'name']) call renders the name column as raw HTML, bypassing automatic escaping. An admin with permissions to create or edit roles can inject malicious payloads (e.g., <img src=x onerror="alert('XSS_POC')">) that persist in the database and execute in other admins' browsers when they load the /admin/roles page. This can lead to session hijacking, credential harvesting, lateral privilege escalation, and persistent backdoors. The vulnerability is resolved in CtrlPanel version 1.2.0.

Exploitation allows an admin user with role creation or edit permissions to inject persistent malicious scripts that execute in the browsers of other admins. This can lead to session hijacking via cookie theft, credential harvesting through fake login prompts or keyloggers, unauthorized admin actions performed on behalf of victims, and persistent backdoors that re-execute on every page load until the malicious role record is removed. The CVSS 3.1 base score is 4.8 (medium severity), reflecting network attack vector, low complexity, high privileges required, user interaction required, and partial confidentiality and integrity impact without availability impact.

This vulnerability is resolved in CtrlPanel version 1.2.0. Users should upgrade to version 1.2.0 or later to remediate the issue. No vendor advisory is provided to indicate alternative mitigations or temporary fixes. Until upgraded, restrict role creation and editing permissions to trusted administrators only to reduce risk.