Total
80 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15434 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_php_pecl.php. When parsing the canal parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9745. | |||||
| CVE-2020-15428 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_crons.php. When parsing the line parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9714. | |||||
| CVE-2019-14723 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete a victim's e-mail account via an attacker account. | |||||
| CVE-2020-15426 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_migration_cpanel.php. When parsing the serverip parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9709. | |||||
| CVE-2019-14728 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to add an e-mail forwarding destination to a victim's account via an attacker account. | |||||
| CVE-2020-15621 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 7.8 HIGH | 7.5 HIGH |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mail_autoreply.php. When parsing the email parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9711. | |||||
| CVE-2019-13605 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 6.5 MEDIUM | 8.8 HIGH |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers can bypass authentication in the login process by leveraging the knowledge of a valid username. The attacker must defeat an encoding that is not equivalent to base64, and thus this is different from CVE-2019-13360. | |||||
| CVE-2020-15612 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_ftp_manager.php. When parsing the userLogin parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9737. | |||||
| CVE-2018-5962 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| index.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the id parameter to the phpini_editor module or the email_address parameter to the mail_add-new module. | |||||
| CVE-2019-16295 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 1.9 LOW | 4.6 MEDIUM |
| Stored XSS in filemanager2.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.885 exists via the cmd_arg parameter. This can be exploited by a local attacker who supplies a crafted filename within a directory visited by the victim. | |||||
| CVE-2019-14725 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to change the e-mail usage value of a victim account via an attacker account. | |||||
| CVE-2020-15619 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 7.8 HIGH | 7.5 HIGH |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_list_accounts.php. When parsing the type parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9723. | |||||
| CVE-2020-15610 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_php_pecl.php. When parsing the modulo parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9728. | |||||
| CVE-2018-18774 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows XSS via the admin/index.php module parameter. | |||||
| CVE-2020-15420 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-el7-0.9.8.891. Authentication is not required to exploit this vulnerability. The specific flaw exists within loader_ajax.php. When parsing the line parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9259. | |||||
| CVE-2020-15433 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_php_pecl.php. When parsing the phpversion parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9715. | |||||
| CVE-2020-15421 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mod_security.php. When parsing the check_ip parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9707. | |||||
| CVE-2022-25046 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 10.0 HIGH | 9.8 CRITICAL |
| A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request. | |||||
| CVE-2022-25047 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| The password reset token in CWP v0.9.8.1126 is generated using known or predictable values. | |||||
| CVE-2022-25048 | 1 Control-webpanel | 1 Webpanel | 2022-07-14 | 9.0 HIGH | 8.8 HIGH |
| Command injection vulnerability in CWP v0.9.8.1126 that allows normal users to run commands as the root user. | |||||