87 matches found
CVE-2019-14722
In CentOS-WebPanel.com aka CWP CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete an e-mail forwarding destination from a victim's account via an attacker account...
CVE-2019-14246
In CentOS-WebPanel.com aka CWP CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords of any user in /etc/passwd via an attacker account...
CVE-2019-13599
In CentOS-WebPanel.com aka CWP CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times...
CVE-2019-13477
In CentOS-WebPanel.com aka CWP CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account...
Design/Logic Flaw
In CentOS-WebPanel.com aka CWP CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times...
CVE-2019-13477
CWP Control Web Panel version 0.9.8.837 is affected by a Cross-Site Request Forgery (CSRF) vulnerability in the Forgot Password feature, enabling an attacker to change the root password. Root cause: CSRF in the forgot-password flow exposes account password changes to unauthorized requests. Impact...
CVE-2019-13599
In CentOS-WebPanel.com aka CWP CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times...
CVE-2019-13599
CVE-2019-13599 affects CentOS Web Panel (CWP) 0.9.8.848, where the login process can be used to determine if a username is valid by comparing response times, creating a user-enumeration timing side-channel. The vulnerability is documented across multiple sources (NVD, Red Hat, CNVD, PRION, etc.) ...
CVE-2019-14245
CVE-2019-14245 affects CentOS Web Panel 0.9.8.851. The issue is an insecure object reference in the MySQL management flow that allows an attacker with an account to delete arbitrary databases (e.g., oauthv2) on the server. Root cause: insufficient access control for database-management actions. I...
CVE-2019-14246
In CentOS-WebPanel.com aka CWP CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords of any user in /etc/passwd via an attacker account...
CentOS Control Web Panel (CWP) 0.9.8.848 User Enumeration Vulnerability
Exploit for linux platform in category web applications Exploit Title : CWP CentOS Control Web Panel User enumerate through HTTP response time Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak Vendor Homepage : https://control-webpanel.com/ Software Link : Not...
CentOS-WebPanel.com Control Web Panel (CWP) 0.9.8.848 User Enumeration
Exploit Title : CWP CentOS Control Web Panel User enumerate through HTTP response time Date : 15 Jul 2019 Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak Vendor Homepage : https://control-webpanel.com/ Software Link : Not available, user panel only available for...
CentOS-WebPanel.com Control Web Panel (CWP) 0.9.8.851 Arbitrary Database Drop
Exploit Title : CWP CentOS Control Web Panel Arbitrary database dropping Date : 24 Jul 2019 Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak Vendor Homepage : https://control-webpanel.com/ Software Link : Not available, user panel only available for lastest versi...
Agent Tesla Botnet - Arbitrary Code Execution Exploit
Agent Tesla Botnet - Arbitrary Code Execution import requests import argparse import base64 Agent Tesla C2 RCE by prsecurity For research purposes only. Don't pwn what you don't own. def getargs: parser = argparse.ArgumentParser prog="agentteslasploit.py", formatterclass=lambda prog:...
Agent Tesla Botnet - Arbitrary Code Execution
import requests import argparse import base64 Agent Tesla C2 RCE by prsecurity For research purposes only. Don't pwn what you don't own. def getargs: parser = argparse.ArgumentParser prog="agentteslasploit.py", formatterclass=lambda prog: argparse.HelpFormatterprog, maxhelpposition=50, epilog= ''...
CentOS-WebPanel.com Control Web Panel 0.9.8.846 Cross Site Scripting
Exploit Title: CWP CentOS Control Web Panel Reflected Cross Site Scripting Date: 23 July 2019 Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak Vendor Homepage: https://control-webpanel.com/ Version: 0.9.8.846 Tested on: CentOS 7.6.1810 Core FireFox 68.0.1 64-bit C...
CentOS-WebPanel.com Control Web Panel 0.9.8.840 User Enumeration
Exploit Title: CWP CentOS Control Web Panel User Enumeration Date: 23 July 2019 Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak Vendor Homepage: https://control-webpanel.com/ Version: 0.9.8.836 to 0.9.8.840 Tested on: CentOS 7.6.1810 Core CVE : CVE-2019-13385...
CVE-2019-13386
In CentOS-WebPanel.com aka CWP CentOS Web Panel 0.9.8.846, a hidden action=9 feature in filemanager2.php allows attackers to execute a shell command, i.e., obtain a reverse shell with user privilege...
CVE-2019-13385
In CentOS-WebPanel.com aka CWP CentOS Web Panel 0.9.8.840, File and Directory Information Exposure in filemanager allows attackers to enumerate users and check for active users of the application by reading /tmp/login.log...
Privilege escalation
In CentOS-WebPanel.com aka CWP CentOS Web Panel 0.9.8.846, a hidden action=9 feature in filemanager2.php allows attackers to execute a shell command, i.e., obtain a reverse shell with user privilege...