146 matches found
CVE-2019-13360
CVE-2019-13360 affects CentOS Web Panel (CWP) 0.9.8.836. Remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username. The Red Hat advisory confirms a similar authentication bypass for affected CWP versions, indicating this class of issue is tied to ...
CVE-2019-13383
CVE-2019-13383 affects CentOS Web Panel (CWP) version 0.9.8.846. The login process leaks user existence by returned HTTP response differences, enabling an attacker to determine whether a username is valid. Root cause: information disclosure via authentication response handling. Public references ...
CVE-2019-13383
In CentOS-WebPanel.com aka CWP CentOS Web Panel 0.9.8.846, the Login process allows attackers to check whether a username is valid by reading the HTTP response...
CVE-2019-13605
CVE-2019-13605 affects CentOS Web Panel (CWP) versions 0.9.8.838–0.9.8.846. The issue is an authentication bypass in the login flow that leverages a valid username and relies on defeating an encoding that is not equivalent to base64, as noted in the NVD entry and CNVD/CNVD-derived records. This i...
CentOS Control Web Panel 0.9.8.836 - Privilege Escalation
//====================================================================\ || || || CWP Control Web Panel 0.9.8.836 - 0.9.8.839 || || Root Privilege Escalation || || || \====================================================================//...
CentOS Control Web Panel 0.9.8.836 - Privilege Escalation
CentOS Control Web Panel 0.9.8.836 - Privilege Escalation //====================================================================\ || || || CWP Control Web Panel 0.9.8.836 - 0.9.8.839 || || Root Privilege Escalation || || || \====================================================================//...
CentOS Control Web Panel 0.9.8.838 User Enumeration
Exploit Title: CWP CentOS Control Web Panel 0.9.8.848 User Enumeration via HTTP Response Message Date: 15 July 2019 Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak Vendor Homepage: https://control-webpanel.com/changelog Software Link: Not available, user panel on...
CVE-2019-12190
CVE-2019-12190 affects CentOS Web Panel (CWP) versions through 0.9.8.747. The issue is a cross-site scripting (XSS) vulnerability in the testacc/fileManager2.php endpoint, triggered via the fm_current_dir or filename parameters. The public records consistently note client-side data validation wea...
CVE-2019-11429
CVE-2019-11429 affects CentOS Web Panel (CWP) versions 0.9.8.793 (Free/Open Source), 0.9.8.753 (Pro) and 0.9.8.807 (Pro). The vulnerability is a Reflected XSS in the Domain field of the DNS Zone: Add DNS Zone screen. The root cause is insufficient input sanitization in the Domain field, enabling ...
Design/Logic Flaw
CentOS-WebPanel.com aka CWP CentOS Web Panel 0.9.8.793 Free/Open Source Version and 0.9.8.753 Pro is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings "Edit Settings" screen. By changing the email ID to any XSS Payload and clicking on Save Changes, the XSS Payload wi...
CVE-2019-10893
CVE-2019-10893 affects CentOS Web Panel versions 0.9.8.793 (Free) and 0.9.8.753 (Pro). It is a stored/persistent XSS in the Admin Email field on the CWP Settings > Edit Settings screen, triggered by saving a crafted email value, with the payload executing in the admin context. Root cause state...
CentOS Web Panel 0.9.8.793 (Free) / 0.9.8.753 (Pro) - Cross-Site Scripting
Exploit Title: CentOS Web Panel v0.9.8.793 Free and v0.9.8.753 Pro - Email Field Stored Cross-Site Scripting Vulnerability Google Dork: N/A Date: 06 - April - 2019 Exploit Author: DKM Vendor Homepage: http://centos-webpanel.com Software Link: http://centos-webpanel.com Version: v0.9.8.793 Free an...
CVE-2019-10261
CWP 0.9.8.789 is vulnerable to Stored/Persistent XSS in the DNS Functions → Edit Nameservers IPs form (Name Server 1/2). Root cause: insufficient input sanitization, enabling an attacker to store and render script payloads to other users. CVE-2019-10261 is described across multiple records with b...
CVE-2019-7646
Summary: CVE-2019-7646 affects CentOS Web Panel (CWP) up to version 0.9.8.763, where the stored/persistent XSS vulnerability exists in the Add a Package (add_package) module via the Package Name field. The issue arises from insufficient input sanitization of the Package Name, enabling an attacker...
CVE-2018-18774
CVE-2018-18774 affects CentOS Web Panel (CentOS Web Panel) versions up to 0.9.8.740. The vulnerability is an XSS flaw exploitable through the admin/index.php endpoint via the module parameter, allowing an attacker to inject arbitrary web script into the administrator’s browser. Several sources in...
CVE-2018-18323
CVE-2018-18323 affects CentOS Web Panel 0.9.8.480. The vulnerability is a Local File Inclusion via directory traversal using the URI admin/index.php?module=file_editor&file=/../, enabling an attacker to read sensitive server files. The connected Nuclei template confirms LFI and notes additional i...
CVE-2018-18322
CVE-2018-18322 affects CentOS Web Panel version 0.9.8.480. The issue is a Command Injection in admin/index.php via shell metacharacters in the API parameters service_start, service_restart, service_fullstatus, or service_stop. Root cause: unsafely handling of those parameters enables injection th...
CVE-2018-18324
CVE-2018-18324 affects CentOS Web Panel (CWP) 0.9.8.480, with a Cross‑Site Scripting (XSS) vulnerability triggered via the fm_current_dir parameter in admin/fileManager2.php or via parameters in admin/index.php (module, service_start/fullstatus/restart/stop, or file within file_editor). Public di...
CVE-2018-5962
CVE-2018-5962 affects CentOS Web Panel (CWP) up to version v0.9.8.12 via XSS in index.php. The vulnerability is triggered by the id parameter in the phpini_editor module or the email_address parameter in the mail_add-new module, allowing cross-site scripting. Public sources in connected records c...
CVE-2009-3919
Cross-site scripting XSS vulnerability in the NGP COO/CWP Integration crmngp module 6.x before 6.x-1.12 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified "user-supplied information."...