85 matches found
CVE-2022-44877
CVE-2022-44877 affects CentOS Web Panel / Control Web Panel (CWP) 7 prior to 0.9.8.1147. The vendor’s login/index.php component is vulnerable to OS command injection via shell metacharacters in the login parameter, enabling remote code execution. Public templates and security feeds describe it as...
CVE-2025-48703
CWP (Control Web Panel) versions before 0.9.8.1205 are affected by an unauthenticated remote code execution vulnerability in filemanager/changePerm via shell metacharacters in t_total. Root cause: unsanitized input in t_total enables arbitrary code execution with a non-root user known. Impact is ...
CVE-2019-13385
CVE-2019-13385 affects CentOS Web Panel 0.9.8.840 (CWP). The vulnerability is an Information Disclosure in the filemanager component, allowing an attacker to enumerate users and identify active users by reading the /tmp/login.log. The exploitation context observed in external sources confirms use...
CVE-2019-13387
CVE-2019-13387 affects CentOS Web Panel (CWP) 0.9.8.846. Description: Reflected XSS in filemanager2.php via the fm_current_dir parameter allows an attacker to steal cookies/sessions or redirect users to phishing pages. Public writeups and exploits (e.g., 0day/PacketStorm) demonstrate the vulnerab...
CVE-2019-13359
CWP vulnerability (CVE-2019-13359) : CentOS Web Panel 0.9.8.836 is affected. A cwpsrv-xxx cookie enables a normal user to craft and upload a session file to /tmp and use it to gain root privileges. The issue arises from an unrestricted file upload path/type that lets an attacker escalate to root....
CVE-2020-10230
CVE-2020-10230 affects CentOS Web Panel (CWP) for CentOS 6/7. The vulnerability is an SQL injection in loader_ajax.php via the term parameter (cwp_{SESSION_HASH}/admin/loader_ajax.php?term=...). Exploit details are available in Exploit-DB (and PT/Red Hat/CVEs reference the issue). No official pat...
CVE-2019-13605
CVE-2019-13605 affects CentOS Web Panel (CWP) versions 0.9.8.838–0.9.8.846. The issue is an authentication bypass in the login flow that leverages a valid username and relies on defeating an encoding that is not equivalent to base64, as noted in the NVD entry and CNVD/CNVD-derived records. This i...
CVE-2019-13383
CVE-2019-13383 affects CentOS Web Panel (CWP) version 0.9.8.846. The login process leaks user existence by returned HTTP response differences, enabling an attacker to determine whether a username is valid. Root cause: information disclosure via authentication response handling. Public references ...
CVE-2019-13360
CVE-2019-13360 affects CentOS Web Panel (CWP) 0.9.8.836. Remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username. The Red Hat advisory confirms a similar authentication bypass for affected CWP versions, indicating this class of issue is tied to ...
CVE-2021-45466
CVE-2021-45466: In CWP (Control Web Panel/CentOS Web Panel) before 0.9.8.1107, a crafted request to api/?api=add_server&DHCP= can cause an authorized_keys file to be written under /resources/. This is a remote, unauthenticated exploit with high impact. CVE-2021-45467: In the same platform before ...
CVE-2021-45467
CWP (Control Web Panel / CentOS Web Panel) is affected by CVE-2021-45467 in versions before 0.9.8.1107. The issue is an unauthenticated null-byte (%00) injection in the scripts parameter of /user/loader.php (and /user/login.php) that can be exploited to register arbitrary API keys or access sensi...
CVE-2018-18773
CVE-2018-18773 (CentOS Web Panel) affects CentOS Web Panel up to version 0.9.8.740. The connected documents describe a CSRF vulnerability that can target admin/index.php?module=rootpwd to change the root password, with evidence of related XSS issues that can facilitate exploiting this CSRF from a...
CVE-2018-18772
CVE-2018-18772 affects CentOS Web Panel (CWP) up to version 0.9.8.740, which is vulnerable to Cross-Site Request Forgery via admin/index.php?module=send_ssh. The weakness allows an attacker to execute arbitrary OS commands and potentially take over the root account, as documented in the CVE entry...
CVE-2022-25046
The CVE-2022-25046 entry describes a path traversal vulnerability in loader.php of CWP (CentOS Web Panel) v0.9.8.1122 that enables arbitrary code execution via a crafted POST request. Evidence from NVD shows a critical CVSS v3.1 score (9.8) and CVSS v2 score (10.0). Affected component: loader.php...
CVE-2022-25048
Summary : CVE-2022-25048 is a command injection vulnerability in CWP (CentOS Web Panel) version v0.9.8.1126 . The description states that a normal user can execute commands with root privileges. Affected component : CWP panel software (v0.9.8.1126). Impact : Elevation of privileges via command ex...
CVE-2021-31324
CentOS Web Panel’s unprivileged User Portal is affected by a Command Injection vulnerability (CVE-2021-31324). The Nuclei templates describe exploitation via the idsession parameter, allowing unauthenticated attackers to execute arbitrary OS commands with root privileges, leading to full server c...
CVE-2018-18323
CVE-2018-18323 affects CentOS Web Panel 0.9.8.480. The vulnerability is a Local File Inclusion via directory traversal using the URI admin/index.php?module=file_editor&file=/../, enabling an attacker to read sensitive server files. The connected Nuclei template confirms LFI and notes additional i...
CVE-2018-18774
CVE-2018-18774 affects CentOS Web Panel (CentOS Web Panel) versions up to 0.9.8.740. The vulnerability is an XSS flaw exploitable through the admin/index.php endpoint via the module parameter, allowing an attacker to inject arbitrary web script into the administrator’s browser. Several sources in...
CVE-2019-11429
CVE-2019-11429 affects CentOS Web Panel (CWP) versions 0.9.8.793 (Free/Open Source), 0.9.8.753 (Pro) and 0.9.8.807 (Pro). The vulnerability is a Reflected XSS in the Domain field of the DNS Zone: Add DNS Zone screen. The root cause is insufficient input sanitization in the Domain field, enabling ...
CVE-2019-16295
CVE-2019-16295 affects CentOS Web Panel (CWP) 0.9.8.885, via filemanager2.php. The vulnerability is a Stored XSS in the cmd_arg handling, exploitable by a local attacker who supplies a crafted filename within a directory visited by the victim. Multiple sources corroborate the issue in CentOS Web ...
CVE-2019-7646
Summary: CVE-2019-7646 affects CentOS Web Panel (CWP) up to version 0.9.8.763, where the stored/persistent XSS vulnerability exists in the Add a Package (add_package) module via the Package Name field. The issue arises from insufficient input sanitization of the Package Name, enabling an attacker...
CVE-2023-42121
CVE-2023-42121 concerns Control Web Panel (CWP) missing authentication in its web interface, enabling remote code execution with no privileges required. The flaw results from a lack of authentication before accessing functionality, allowing an attacker to execute code in the context of a valid CW...
CVE-2021-31316
The CVE-2021-31316 issue affects the unprivileged user portal of CentOS Web Panel and is a SQL Injection via the idsession HTTP POST parameter. The nuclei template and CIRCL/CVE data confirm an unauthenticated impact that can lead to extraction of database contents and potentially arbitrary comma...
CVE-2019-14782
CVE-2019-14782 affects CentOS Web Panel (CWP) versions 0.9.8.856–0.9.8.864. The issue allows an attacker to obtain a victim’s session file name from the /tmp directory and the token value from /usr/local/cwpsrv/logs/access_log, then use those to request the victim’s password (for the OS and phpMy...
CVE-2020-15610
CVE-2020-15610 affects CentOS Web Panel (cwp-e17.0.9.8.923). The vulnerability is in the file ajax_php_pecl.php where parsing the modulo parameter allows an attacker to execute arbitrary code with root privileges, without authentication. Multiple sources (ZDI-20-757, Red Hat, CNVD/CVE records) co...
CVE-2020-15607
CVE-2020-15607 affects CentOS Web Panel (cwp-e17.0.9.8.923). The flaw is in ajax_admin_apis.php when parsing the line parameter, where insufficient validation allows an attacker to use the string to execute a system call, potentially yielding code execution in the root context. Multiple sources c...
CVE-2022-25047
CVE-2022-25047 affects CWP v0.9.8.1126, where the password reset token is generated using known or predictable values. This is the root cause described across multiple sources (NVD entry and related advisories). No exploit specifics or official fix/version is provided in the supplied documents. S...
CVE-2019-14724
CVE-2019-14724 affects CentOS Web Panel version 0.9.8.851. The vulnerability is an insecure object reference that allows an attacker with an attacker account to edit the victim’s e‑mail forwarding destination. Root cause: improper access control on the object representing the e‑mail forwarding se...
CVE-2023-42123
CVE-2023-42123 concerns the Control Web Panel where the vulnerable component is the mysql_manager module. The flaw arises from improper validation of a user-supplied string before it is used to execute a system command, enabling remote code execution with root privileges. Per the sources, exploit...
CVE-2020-15615
The CVE-2020-15615 entry affects CentOS Web Panel (CWP) version cwp-e17.0.9.8.923. The flaw is in ajax_ftp_manager.php, where a user-supplied string is used to construct a system call without proper validation, allowing unauthenticated remote code execution with root privileges. Public references...
CVE-2018-18324
CVE-2018-18324 affects CentOS Web Panel (CWP) 0.9.8.480, with a Cross‑Site Scripting (XSS) vulnerability triggered via the fm_current_dir parameter in admin/fileManager2.php or via parameters in admin/index.php (module, service_start/fullstatus/restart/stop, or file within file_editor). Public di...
CVE-2019-12190
CVE-2019-12190 affects CentOS Web Panel (CWP) versions through 0.9.8.747. The issue is a cross-site scripting (XSS) vulnerability in the testacc/fileManager2.php endpoint, triggered via the fm_current_dir or filename parameters. The public records consistently note client-side data validation wea...
CVE-2019-14721
CVE-2019-14721 affects CentOS Web Panel (CWP) 0.9.8.851. The vulnerability is described as an insecure object reference that lets an attacker with an attacker account remove a target user from phpMyAdmin. Multiple sources (Red Hat CVE entry, CNVD aggregations) corroborate the impact of removing o...
CVE-2023-42122
CVE-2023-42122 affects Control Web Panel via the cwpsrv process. The flaw: improper validation of a user-supplied string before using it in a system call, with cwpsrv listening on the loopback interface. This enables a local attacker who can run low-privileged code to escalate to root and execute...
CVE-2019-14722
CVE-2019-14722 affects CentOS Web Panel 0.9.8.851. The vulnerability is an insecure object reference in the email forwarding management that allows an attacker with an attacker account to delete an email forwarding destination belonging to a victim’s account. The connected documents confirm the a...
CVE-2020-15627
Affected product: CentOS Web Panel (cwp-e17.0.9.8.923). Vulnerable component: ajax_mail_autoreply.php. Root cause: improper validation when using the user-supplied account parameter to construct SQL queries, enabling information disclosure. Impact: remote attackers can disclose sensitive informat...
CVE-2020-15608
CVE-2020-15608 affects CentOS Web Panel (cwp-e17.0.9.8.923). The vulnerability is in ajax_dashboard.php when parsing the ai_service parameter, where unvalidated user input is used to execute a system call, enabling remote code execution with root privileges and no authentication. Public disclosur...
CVE-2018-18322
CVE-2018-18322 affects CentOS Web Panel version 0.9.8.480. The issue is a Command Injection in admin/index.php via shell metacharacters in the API parameters service_start, service_restart, service_fullstatus, or service_stop. Root cause: unsafely handling of those parameters enables injection th...
CVE-2020-15427
The CVE-2020-15427 issue affects CentOS Web Panel (cwp-e17.0.9.8.923) where the ajax_disk_usage.php file parses the folderName parameter but does not validate it before using it in a system call, allowing remote code execution with root privileges. Public disclosures (ZDI-20-744 and related advis...
CVE-2020-15613
CVE-2020-15613 affects CentOS Web Panel (cwp-e17.0.9.8.923). The flaw is in ajax_admin_apis.php when parsing the line parameter, where unsanitized input is used to execute a system call, enabling remote code execution with root privileges and no authentication. Public advisories reference ZDI-20-...
CVE-2019-14725
CVE-2019-14725 affects CentOS Web Panel 0.9.8.851. Affected component is an insecure object reference that lets an attacker with an account modify the email usage value of another victim’s account. The root cause is inadequate access control on object references, enabling privilege escalation wit...
CVE-2019-14729
CVE-2019-14729 affects CentOS Web Panel (CWP) 0.9.8.851. The issue is an insecure object reference that allows an attacker with an account to delete a sub-domain under a victim’s account. Reported across multiple sources (NVD/Red Hat/CNVD, CNVD, PRION, PT-Security) with consistent product/version...
CVE-2020-15422
CVE-2020-15422 affects CentOS Web Panel cwp-e17.0.9.8.923. The issue is in ajax_mod_security.php where the archivo parameter is parsed without proper validation, allowing an attacker to execute arbitrary code with root privileges. This is a network-based remote code execution vulnerability (no au...
CVE-2020-15434
CVE-2020-15434 affects CentOS Web Panel (cwp-e17.0.9.8.923). The vulnerable component is ajax_php_pecl.php where the canal parameter is not properly validated before using it to execute a system call, enabling remote code execution with root privileges. Exploitation is possible without authentica...
CVE-2019-14726
CVE-2019-14726 affects CentOS Web Panel 0.9.8.851. The issue is an insecure object reference that allows an attacker with an attacker account to access and delete DNS records belonging to a victim’s account. Root cause appears to be insufficient access validation for DNS management objects. Repor...
CVE-2020-15619
CentOS Web Panel (cwp-e17.0.9.8.923) is affected by a SQL injection in ajax_list_accounts.php when parsing the type parameter. The vulnerability allows remote attackers, with no authentication, to disclose sensitive information in the root context by constructing SQL queries from unvalidated user...
CVE-2023-42120
CVE-2023-42120 affects Control Web Panel via the dns_zone_editor module, where improper validation of a user-supplied string before a system call enables remote code execution with root privileges. Impact is high (RCE, root, network exploit) and requires authentication to exploit. The entry is co...
CVE-2019-14728
CVE-2019-14728 affects CentOS Web Panel (CWP) 0.9.8.851. The vulnerability is an insecure object reference that lets an attacker, with an attacker account, add an e-mail forwarding destination to a victim’s account. The root cause is improper authorization/object reference handling in the CWP int...
CVE-2020-15420
CVE-2020-15420 affects CentOS Web Panel (cwp-el7-0.9.8.891). The flaw is in loader_ajax.php when parsing the line parameter, which is used to execute a system call without proper validation. This leads to remote code execution with root privileges and requires no authentication. The issue is docu...
CVE-2019-13477
CWP Control Web Panel version 0.9.8.837 is affected by a Cross-Site Request Forgery (CSRF) vulnerability in the Forgot Password feature, enabling an attacker to change the root password. Root cause: CSRF in the forgot-password flow exposes account password changes to unauthorized requests. Impact...