129 matches found
Control Web Panel Unauthenticated Remote Command Execution
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rex/stopwatch' class MetasploitModule 'CWP login.php Unauthenticated RCE', 'Description' = %q Control Web Panel versions 'Spencer McIntyre', metasploit module...
Linanto Control Web Panel (CWP) 7 < 0.9.8.1147 Command Injection (CVE-2022-44877)
The version of Linanto Control Web Panel CWP 7, a web based control panel application, installed on the remote host is prior to 0.9.8.1147. It is, therefore, affected by a command injection vulnerability in the login parameter of the login/index.php page. Note that Nessus has not tested for this...
Linanto Control Web Panel (CWP) Installed (Linux)
Binary data lintanocontrolwebpanelnixinstalled.nbin...
Control Web Panel < 0.9.8.1147 Remote Code Execution
Control Web Panel CWP, formerly CentOS Web Panel is a free Linux control panel software. CWP versions below 0.9.8.1147 suffer from an operating system command injection through the login GET parameter on the /login/index.php endpoint. By leveraging this vulnerability, an unauthenticated attacker...
Exploitation of Control Web Panel CVE-2022-44877
On January 3, 2023, security researcher Numan Türle published a proof-of-concept exploit for CVE-2022-44877, an unauthenticated remote code execution vulnerability in Control Web Panel CWP, formerly known as CentOS Web Panel that had been fixed in an October 2022 release of CWP. The vulnerability...
CVE-2022-44877, critical RCE in CentOS Control Web Panel exploited in the wild: everything you need to know
Detect and mitigate CVE-2022-44877, a CentOS Control Web Panel CWP unauthenticated RCE exploited in the wild. Security teams are advised to patch urgently...
Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability
Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel CWP that enables elevated privileges and unauthenticated remote code execution RCE on susceptible servers. Tracked as CVE-2022-44877 CVSS score: 9.8, the bug impacts all versions of...
Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability
Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel CWP that enables elevated privileges and unauthenticated remote code execution RCE on susceptible servers. Tracked as CVE-2022-44877 CVSS score: 9.8, the bug impacts all versions of...
VulnCheck KEV: CVE-2022-44877
CWP Control Web Panel formerly CentOS Web Panel contains an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter...
CVE-2022-44877
login/index.php in CWP aka Control Web Panel or CentOS Web Panel 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter...
CVE-2022-44877
login/index.php in CWP aka Control Web Panel or CentOS Web Panel 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter...
CVE-2022-44877
login/index.php in CWP aka Control Web Panel or CentOS Web Panel 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter...
CVE-2022-44877
CVE-2022-44877 affects CentOS Web Panel / Control Web Panel (CWP) 7 prior to 0.9.8.1147. The vendor’s login/index.php component is vulnerable to OS command injection via shell metacharacters in the login parameter, enabling remote code execution. Public templates and security feeds describe it as...
CVE-2021-45466
In CWP aka Control Web Panel or CentOS Web Panel before 0.9.8.1107, attackers can make a crafted request to api/?api=addserver&DHCP= to add an authorizedkeys text file in the /resources/ folder...
CVE-2021-45467
In CWP aka Control Web Panel or CentOS Web Panel before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/accountnewcreate&acc=guadaapi URI. Any number of %00...
Design/Logic Flaw
In CWP aka Control Web Panel or CentOS Web Panel before 0.9.8.1107, attackers can make a crafted request to api/?api=addserver&DHCP= to add an authorizedkeys text file in the /resources/ folder...
CVE-2021-45466
In CWP aka Control Web Panel or CentOS Web Panel before 0.9.8.1107, attackers can make a crafted request to api/?api=addserver&DHCP= to add an authorizedkeys text file in the /resources/ folder...
CVE-2021-45466
In CWP aka Control Web Panel or CentOS Web Panel before 0.9.8.1107, attackers can make a crafted request to api/?api=addserver&DHCP= to add an authorizedkeys text file in the /resources/ folder...
CVE-2021-45466
CVE-2021-45466: In CWP (Control Web Panel/CentOS Web Panel) before 0.9.8.1107, a crafted request to api/?api=add_server&DHCP= can cause an authorized_keys file to be written under /resources/. This is a remote, unauthenticated exploit with high impact. CVE-2021-45467: In the same platform before ...
CVE-2021-45467
CWP (Control Web Panel / CentOS Web Panel) is affected by CVE-2021-45467 in versions before 0.9.8.1107. The issue is an unauthenticated null-byte (%00) injection in the scripts parameter of /user/loader.php (and /user/login.php) that can be exploited to register arbitrary API keys or access sensi...