DirectAdmin is a web-based control panel for servers and hosting. The CMD_USER_STATS vulnerability in DirectAdmin allows remote attackers to inject arbitrary web script or HTML via the RESULT parameter, posing a risk of cross-site scripting (XSS) attacks.
Specific version info not stated in the advisory. If you don't recognise this software, you're probably not affected.
Upgrade to DirectAdmin version 1.6.9 or later from the official website: https://www.directadmin.com/
- Immediate mitigations:
- Disable the CMD_USER_STATS feature by setting cmd_user_stats = 0 in the /etc/directadmin/conf/directadmin.conf file.
- Update your DirectAdmin installation to ensure you have the latest security patches.