Filtered by vendor Control-webpanel
Subscriptions
Filtered by product Webpanel
Subscriptions
Total
80 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-15420 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-el7-0.9.8.891. Authentication is not required to exploit this vulnerability. The specific flaw exists within loader_ajax.php. When parsing the line parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9259. | ||||
| CVE-2020-15426 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_migration_cpanel.php. When parsing the serverip parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9709. | ||||
| CVE-2020-15430 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_list_accounts.php. When parsing the username parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9736. | ||||
| CVE-2020-15433 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_php_pecl.php. When parsing the phpversion parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9715. | ||||
| CVE-2020-15428 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_crons.php. When parsing the line parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9714. | ||||
| CVE-2020-15424 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mod_security.php. When parsing the domain parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9735. | ||||
| CVE-2020-15423 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mod_security.php. When parsing the dominio parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9732. | ||||
| CVE-2020-15427 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_disk_usage.php. When parsing the folderName parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9713. | ||||
| CVE-2020-15429 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_crons.php. When parsing the user parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9716. | ||||
| CVE-2020-15422 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mod_security.php. When parsing the archivo parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9731. | ||||
| CVE-2020-15425 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mod_security.php. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9742. | ||||
| CVE-2020-10230 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | 9.8 Critical |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) allows SQL Injection via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter. | ||||
| CVE-2021-45467 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | 9.8 Critical |
| In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%00./api/account_new_create could also be used for the scripts parameter. | ||||
| CVE-2021-45466 | 1 Control-webpanel | 1 Webpanel | 2024-08-04 | 9.8 Critical |
| In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder. | ||||
| CVE-2021-31316 | 1 Control-webpanel | 1 Webpanel | 2024-08-03 | 9.8 Critical |
| The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter. | ||||
| CVE-2021-31324 | 1 Control-webpanel | 1 Webpanel | 2024-08-03 | 9.8 Critical |
| The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution. | ||||
| CVE-2022-44877 | 1 Control-webpanel | 1 Webpanel | 2024-08-03 | 9.8 Critical |
| login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. | ||||
| CVE-2022-25048 | 1 Control-webpanel | 1 Webpanel | 2024-08-03 | 8.8 High |
| Command injection vulnerability in CWP v0.9.8.1126 that allows normal users to run commands as the root user. | ||||
| CVE-2022-25046 | 1 Control-webpanel | 1 Webpanel | 2024-08-03 | 9.8 Critical |
| A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request. | ||||
| CVE-2022-25047 | 1 Control-webpanel | 1 Webpanel | 2024-08-03 | 5.9 Medium |
| The password reset token in CWP v0.9.8.1126 is generated using known or predictable values. | ||||