Multiple cross-site scripting (XSS) vulnerabilities in the respond_error function in routing.py in Eugene Pankov Ajenti before 1.2.21.7 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) resources.js or (2) resources.css in ajenti:static/, related to the traceback page.
ajenticp has XSS via a filename that is mishandled in File Manager.
Ajenti contains an Improper Error Handling vulnerability in Login JSON request that can result in a path traversal.
Ajenti contains an Information Disclosure vulnerability that can result in user and system enumeration.
Ajenti contains an Insecure Permissions vulnerability that allows normal users to download arbitrary plugins.
Ajenti contains an Input Validation vulnerability. An attacker can freeze the server by sending a long string through the ID parameter.
Ajenti contains a CSRF vulnerability in the command execution panel of the tool used to manage the server.