Lucene search
K
Control-webpanelWebpanel

85 matches found

CVE
CVE
added 2023/01/05 12:0 a.m.647 views

CVE-2022-44877

CVE-2022-44877 affects CentOS Web Panel / Control Web Panel (CWP) 7 prior to 0.9.8.1147. The vendor’s login/index.php component is vulnerable to OS command injection via shell metacharacters in the login parameter, enabling remote code execution. Public templates and security feeds describe it as...

9.8CVSS9.6AI score0.99995EPSS
In wildWeb
CVE
CVE
added 2025/09/19 12:0 a.m.563 views

CVE-2025-48703

CWP (Control Web Panel) versions before 0.9.8.1205 are affected by an unauthenticated remote code execution vulnerability in filemanager/changePerm via shell metacharacters in t_total. Root cause: unsanitized input in t_total enables arbitrary code execution with a non-root user known. Impact is ...

9CVSS8.1AI score0.99589EPSS
In wildWeb
CVE
CVE
added 2019/07/26 12:5 p.m.347 views

CVE-2019-13385

CVE-2019-13385 affects CentOS Web Panel 0.9.8.840 (CWP). The vulnerability is an Information Disclosure in the filemanager component, allowing an attacker to enumerate users and identify active users by reading the /tmp/login.log. The exploitation context observed in external sources confirms use...

4.3CVSS4.6AI score0.02031EPSS
Web
CVE
CVE
added 2019/07/26 12:6 p.m.344 views

CVE-2019-13387

CVE-2019-13387 affects CentOS Web Panel (CWP) 0.9.8.846. Description: Reflected XSS in filemanager2.php via the fm_current_dir parameter allows an attacker to steal cookies/sessions or redirect users to phishing pages. Public writeups and exploits (e.g., 0day/PacketStorm) demonstrate the vulnerab...

6.1CVSS5.9AI score0.02176EPSS
Web
CVE
CVE
added 2019/07/16 5:2 p.m.240 views

CVE-2019-13359

CWP vulnerability (CVE-2019-13359) : CentOS Web Panel 0.9.8.836 is affected. A cwpsrv-xxx cookie enables a normal user to craft and upload a session file to /tmp and use it to gain root privileges. The issue arises from an unrestricted file upload path/type that lets an attacker escalate to root....

8.5CVSS7.5AI score0.2577EPSS
Web
CVE
CVE
added 2020/03/16 3:34 p.m.186 views

CVE-2020-10230

CVE-2020-10230 affects CentOS Web Panel (CWP) for CentOS 6/7. The vulnerability is an SQL injection in loader_ajax.php via the term parameter (cwp_{SESSION_HASH}/admin/loader_ajax.php?term=...). Exploit details are available in Exploit-DB (and PT/Red Hat/CVEs reference the issue). No official pat...

9.8CVSS9.9AI score0.14668EPSS
Web
CVE
CVE
added 2019/07/16 4:46 p.m.185 views

CVE-2019-13605

CVE-2019-13605 affects CentOS Web Panel (CWP) versions 0.9.8.838–0.9.8.846. The issue is an authentication bypass in the login flow that leverages a valid username and relies on defeating an encoding that is not equivalent to base64, as noted in the NVD entry and CNVD/CNVD-derived records. This i...

8.8CVSS9.2AI score0.15307EPSS
CVE
CVE
added 2019/07/16 4:54 p.m.179 views

CVE-2019-13383

CVE-2019-13383 affects CentOS Web Panel (CWP) version 0.9.8.846. The login process leaks user existence by returned HTTP response differences, enabling an attacker to determine whether a username is valid. Root cause: information disclosure via authentication response handling. Public references ...

5.3CVSS5.2AI score0.14241EPSS
Web
CVE
CVE
added 2019/07/16 5:0 p.m.171 views

CVE-2019-13360

CVE-2019-13360 affects CentOS Web Panel (CWP) 0.9.8.836. Remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username. The Red Hat advisory confirms a similar authentication bypass for affected CWP versions, indicating this class of issue is tied to ...

9.8CVSS9.2AI score0.2445EPSS
CVE
CVE
added 2022/12/26 12:0 a.m.100 views

CVE-2021-45466

CVE-2021-45466: In CWP (Control Web Panel/CentOS Web Panel) before 0.9.8.1107, a crafted request to api/?api=add_server&DHCP= can cause an authorized_keys file to be written under /resources/. This is a remote, unauthenticated exploit with high impact. CVE-2021-45467: In the same platform before ...

9.8CVSS9.2AI score0.55338EPSS
Web
CVE
CVE
added 2022/12/26 12:0 a.m.100 views

CVE-2021-45467

CWP (Control Web Panel / CentOS Web Panel) is affected by CVE-2021-45467 in versions before 0.9.8.1107. The issue is an unauthenticated null-byte (%00) injection in the scripts parameter of /user/loader.php (and /user/login.php) that can be exploited to register arbitrary API keys or access sensi...

9.8CVSS9.4AI score0.70947EPSS
Web
CVE
CVE
added 2018/11/20 7:0 p.m.95 views

CVE-2018-18773

CVE-2018-18773 (CentOS Web Panel) affects CentOS Web Panel up to version 0.9.8.740. The connected documents describe a CSRF vulnerability that can target admin/index.php?module=rootpwd to change the root password, with evidence of related XSS issues that can facilitate exploiting this CSRF from a...

8.8CVSS8.6AI score0.03409EPSS
Web
CVE
CVE
added 2018/11/20 7:0 p.m.94 views

CVE-2018-18772

CVE-2018-18772 affects CentOS Web Panel (CWP) up to version 0.9.8.740, which is vulnerable to Cross-Site Request Forgery via admin/index.php?module=send_ssh. The weakness allows an attacker to execute arbitrary OS commands and potentially take over the root account, as documented in the CVE entry...

8.8CVSS8.7AI score0.0348EPSS
Web
CVE
CVE
added 2022/07/07 11:28 a.m.93 views

CVE-2022-25046

The CVE-2022-25046 entry describes a path traversal vulnerability in loader.php of CWP (CentOS Web Panel) v0.9.8.1122 that enables arbitrary code execution via a crafted POST request. Evidence from NVD shows a critical CVSS v3.1 score (9.8) and CVSS v2 score (10.0). Affected component: loader.php...

10CVSS9.4AI score0.53515EPSS
CVE
CVE
added 2022/07/07 11:29 a.m.89 views

CVE-2022-25048

Summary : CVE-2022-25048 is a command injection vulnerability in CWP (CentOS Web Panel) version v0.9.8.1126 . The description states that a normal user can execute commands with root privileges. Affected component : CWP panel software (v0.9.8.1126). Impact : Elevation of privileges via command ex...

9CVSS8.8AI score0.18585EPSS
CVE
CVE
added 2021/05/18 7:43 p.m.88 views

CVE-2021-31324

CentOS Web Panel’s unprivileged User Portal is affected by a Command Injection vulnerability (CVE-2021-31324). The Nuclei templates describe exploitation via the idsession parameter, allowing unauthenticated attackers to execute arbitrary OS commands with root privileges, leading to full server c...

10CVSS9.8AI score0.34062EPSS
CVE
CVE
added 2018/10/15 7:0 a.m.87 views

CVE-2018-18323

CVE-2018-18323 affects CentOS Web Panel 0.9.8.480. The vulnerability is a Local File Inclusion via directory traversal using the URI admin/index.php?module=file_editor&file=/../, enabling an attacker to read sensitive server files. The connected Nuclei template confirms LFI and notes additional i...

7.5CVSS7.5AI score0.70736EPSS
Web
CVE
CVE
added 2018/11/20 7:0 p.m.87 views

CVE-2018-18774

CVE-2018-18774 affects CentOS Web Panel (CentOS Web Panel) versions up to 0.9.8.740. The vulnerability is an XSS flaw exploitable through the admin/index.php endpoint via the module parameter, allowing an attacker to inject arbitrary web script into the administrator’s browser. Several sources in...

6.1CVSS6.8AI score0.04751EPSS
Web
CVE
CVE
added 2019/05/13 2:44 p.m.84 views

CVE-2019-11429

CVE-2019-11429 affects CentOS Web Panel (CWP) versions 0.9.8.793 (Free/Open Source), 0.9.8.753 (Pro) and 0.9.8.807 (Pro). The vulnerability is a Reflected XSS in the Domain field of the DNS Zone: Add DNS Zone screen. The root cause is insufficient input sanitization in the Domain field, enabling ...

4.8CVSS4.9AI score0.05907EPSS
CVE
CVE
added 2019/10/31 8:59 p.m.82 views

CVE-2019-16295

CVE-2019-16295 affects CentOS Web Panel (CWP) 0.9.8.885, via filemanager2.php. The vulnerability is a Stored XSS in the cmd_arg handling, exploitable by a local attacker who supplies a crafted filename within a directory visited by the victim. Multiple sources corroborate the issue in CentOS Web ...

4.6CVSS4.3AI score0.00478EPSS
Web
CVE
CVE
added 2019/03/26 3:2 p.m.74 views

CVE-2019-7646

Summary: CVE-2019-7646 affects CentOS Web Panel (CWP) up to version 0.9.8.763, where the stored/persistent XSS vulnerability exists in the Add a Package (add_package) module via the Package Name field. The issue arises from insufficient input sanitization of the Package Name, enabling an attacker...

4.8CVSS4.8AI score0.07246EPSS
CVE
CVE
added 2024/05/03 2:13 a.m.73 views

CVE-2023-42121

CVE-2023-42121 concerns Control Web Panel (CWP) missing authentication in its web interface, enabling remote code execution with no privileges required. The flaw results from a lack of authentication before accessing functionality, allowing an attacker to execute code in the context of a valid CW...

9.8CVSS9.8AI score0.01469EPSS
CVE
CVE
added 2021/05/18 7:44 p.m.70 views

CVE-2021-31316

The CVE-2021-31316 issue affects the unprivileged user portal of CentOS Web Panel and is a SQL Injection via the idsession HTTP POST parameter. The nuclei template and CIRCL/CVE data confirm an unauthenticated impact that can lead to extraction of database contents and potentially arbitrary comma...

10CVSS9.8AI score0.13029EPSS
CVE
CVE
added 2019/12/17 3:25 p.m.69 views

CVE-2019-14782

CVE-2019-14782 affects CentOS Web Panel (CWP) versions 0.9.8.856–0.9.8.864. The issue allows an attacker to obtain a victim’s session file name from the /tmp directory and the token value from /usr/local/cwpsrv/logs/access_log, then use those to request the victim’s password (for the OS and phpMy...

6.5CVSS6.4AI score0.01382EPSS
Web
CVE
CVE
added 2020/07/28 5:1 p.m.67 views

CVE-2020-15610

CVE-2020-15610 affects CentOS Web Panel (cwp-e17.0.9.8.923). The vulnerability is in the file ajax_php_pecl.php where parsing the modulo parameter allows an attacker to execute arbitrary code with root privileges, without authentication. Multiple sources (ZDI-20-757, Red Hat, CNVD/CVE records) co...

10CVSS9.6AI score0.08083EPSS
CVE
CVE
added 2020/07/28 5:1 p.m.66 views

CVE-2020-15607

CVE-2020-15607 affects CentOS Web Panel (cwp-e17.0.9.8.923). The flaw is in ajax_admin_apis.php when parsing the line parameter, where insufficient validation allows an attacker to use the string to execute a system call, potentially yielding code execution in the root context. Multiple sources c...

10CVSS9.6AI score0.08083EPSS
CVE
CVE
added 2022/07/07 11:29 a.m.66 views

CVE-2022-25047

CVE-2022-25047 affects CWP v0.9.8.1126, where the password reset token is generated using known or predictable values. This is the root cause described across multiple sources (NVD entry and related advisories). No exploit specifics or official fix/version is provided in the supplied documents. S...

5.9CVSS5.9AI score0.01807EPSS
CVE
CVE
added 2019/09/11 11:28 a.m.65 views

CVE-2019-14724

CVE-2019-14724 affects CentOS Web Panel version 0.9.8.851. The vulnerability is an insecure object reference that allows an attacker with an attacker account to edit the victim’s e‑mail forwarding destination. Root cause: improper access control on the object representing the e‑mail forwarding se...

7.5CVSS7.4AI score0.04412EPSS
CVE
CVE
added 2024/05/03 2:13 a.m.65 views

CVE-2023-42123

CVE-2023-42123 concerns the Control Web Panel where the vulnerable component is the mysql_manager module. The flaw arises from improper validation of a user-supplied string before it is used to execute a system command, enabling remote code execution with root privileges. Per the sources, exploit...

8.8CVSS9.1AI score0.01864EPSS
CVE
CVE
added 2020/07/28 5:1 p.m.64 views

CVE-2020-15615

The CVE-2020-15615 entry affects CentOS Web Panel (CWP) version cwp-e17.0.9.8.923. The flaw is in ajax_ftp_manager.php, where a user-supplied string is used to construct a system call without proper validation, allowing unauthenticated remote code execution with root privileges. Public references...

10CVSS9.6AI score0.08083EPSS
CVE
CVE
added 2018/10/15 7:0 a.m.63 views

CVE-2018-18324

CVE-2018-18324 affects CentOS Web Panel (CWP) 0.9.8.480, with a Cross‑Site Scripting (XSS) vulnerability triggered via the fm_current_dir parameter in admin/fileManager2.php or via parameters in admin/index.php (module, service_start/fullstatus/restart/stop, or file within file_editor). Public di...

6.1CVSS6AI score0.03207EPSS
Web
CVE
CVE
added 2019/05/21 5:29 p.m.62 views

CVE-2019-12190

CVE-2019-12190 affects CentOS Web Panel (CWP) versions through 0.9.8.747. The issue is a cross-site scripting (XSS) vulnerability in the testacc/fileManager2.php endpoint, triggered via the fm_current_dir or filename parameters. The public records consistently note client-side data validation wea...

5.4CVSS5.3AI score0.05323EPSS
Web
CVE
CVE
added 2019/09/10 3:14 p.m.61 views

CVE-2019-14721

CVE-2019-14721 affects CentOS Web Panel (CWP) 0.9.8.851. The vulnerability is described as an insecure object reference that lets an attacker with an attacker account remove a target user from phpMyAdmin. Multiple sources (Red Hat CVE entry, CNVD aggregations) corroborate the impact of removing o...

6.5CVSS6.4AI score0.01787EPSS
CVE
CVE
added 2024/05/03 2:13 a.m.61 views

CVE-2023-42122

CVE-2023-42122 affects Control Web Panel via the cwpsrv process. The flaw: improper validation of a user-supplied string before using it in a system call, with cwpsrv listening on the loopback interface. This enables a local attacker who can run low-privileged code to escalate to root and execute...

7.8CVSS8AI score0.00712EPSS
CVE
CVE
added 2019/09/10 3:15 p.m.60 views

CVE-2019-14722

CVE-2019-14722 affects CentOS Web Panel 0.9.8.851. The vulnerability is an insecure object reference in the email forwarding management that allows an attacker with an attacker account to delete an email forwarding destination belonging to a victim’s account. The connected documents confirm the a...

4.3CVSS4.6AI score0.01538EPSS
CVE
CVE
added 2020/07/28 5:1 p.m.60 views

CVE-2020-15627

Affected product: CentOS Web Panel (cwp-e17.0.9.8.923). Vulnerable component: ajax_mail_autoreply.php. Root cause: improper validation when using the user-supplied account parameter to construct SQL queries, enabling information disclosure. Impact: remote attackers can disclose sensitive informat...

7.8CVSS7.5AI score0.0383EPSS
CVE
CVE
added 2020/07/28 5:1 p.m.59 views

CVE-2020-15608

CVE-2020-15608 affects CentOS Web Panel (cwp-e17.0.9.8.923). The vulnerability is in ajax_dashboard.php when parsing the ai_service parameter, where unvalidated user input is used to execute a system call, enabling remote code execution with root privileges and no authentication. Public disclosur...

10CVSS9.6AI score0.08083EPSS
CVE
CVE
added 2018/10/15 7:0 a.m.58 views

CVE-2018-18322

CVE-2018-18322 affects CentOS Web Panel version 0.9.8.480. The issue is a Command Injection in admin/index.php via shell metacharacters in the API parameters service_start, service_restart, service_fullstatus, or service_stop. Root cause: unsafely handling of those parameters enables injection th...

9.8CVSS9.7AI score0.15141EPSS
Web
CVE
CVE
added 2020/07/28 5:1 p.m.58 views

CVE-2020-15427

The CVE-2020-15427 issue affects CentOS Web Panel (cwp-e17.0.9.8.923) where the ajax_disk_usage.php file parses the folderName parameter but does not validate it before using it in a system call, allowing remote code execution with root privileges. Public disclosures (ZDI-20-744 and related advis...

10CVSS9.6AI score0.08083EPSS
CVE
CVE
added 2020/07/28 5:1 p.m.58 views

CVE-2020-15613

CVE-2020-15613 affects CentOS Web Panel (cwp-e17.0.9.8.923). The flaw is in ajax_admin_apis.php when parsing the line parameter, where unsanitized input is used to execute a system call, enabling remote code execution with root privileges and no authentication. Public advisories reference ZDI-20-...

10CVSS9.6AI score0.08083EPSS
CVE
CVE
added 2019/09/11 11:26 a.m.57 views

CVE-2019-14725

CVE-2019-14725 affects CentOS Web Panel 0.9.8.851. Affected component is an insecure object reference that lets an attacker with an account modify the email usage value of another victim’s account. The root cause is inadequate access control on object references, enabling privilege escalation wit...

4.3CVSS4.6AI score0.01469EPSS
CVE
CVE
added 2019/09/10 3:21 p.m.57 views

CVE-2019-14729

CVE-2019-14729 affects CentOS Web Panel (CWP) 0.9.8.851. The issue is an insecure object reference that allows an attacker with an account to delete a sub-domain under a victim’s account. Reported across multiple sources (NVD/Red Hat/CNVD, CNVD, PRION, PT-Security) with consistent product/version...

5.5CVSS4.6AI score0.015EPSS
CVE
CVE
added 2020/07/28 5:1 p.m.57 views

CVE-2020-15422

CVE-2020-15422 affects CentOS Web Panel cwp-e17.0.9.8.923. The issue is in ajax_mod_security.php where the archivo parameter is parsed without proper validation, allowing an attacker to execute arbitrary code with root privileges. This is a network-based remote code execution vulnerability (no au...

10CVSS9.6AI score0.08411EPSS
CVE
CVE
added 2020/07/28 5:1 p.m.57 views

CVE-2020-15434

CVE-2020-15434 affects CentOS Web Panel (cwp-e17.0.9.8.923). The vulnerable component is ajax_php_pecl.php where the canal parameter is not properly validated before using it to execute a system call, enabling remote code execution with root privileges. Exploitation is possible without authentica...

10CVSS9.6AI score0.08411EPSS
CVE
CVE
added 2019/09/10 3:19 p.m.56 views

CVE-2019-14726

CVE-2019-14726 affects CentOS Web Panel 0.9.8.851. The issue is an insecure object reference that allows an attacker with an attacker account to access and delete DNS records belonging to a victim’s account. Root cause appears to be insufficient access validation for DNS management objects. Repor...

6.5CVSS5.5AI score0.01333EPSS
CVE
CVE
added 2020/07/28 5:1 p.m.56 views

CVE-2020-15619

CentOS Web Panel (cwp-e17.0.9.8.923) is affected by a SQL injection in ajax_list_accounts.php when parsing the type parameter. The vulnerability allows remote attackers, with no authentication, to disclose sensitive information in the root context by constructing SQL queries from unvalidated user...

7.8CVSS7.5AI score0.0383EPSS
CVE
CVE
added 2024/05/03 2:13 a.m.56 views

CVE-2023-42120

CVE-2023-42120 affects Control Web Panel via the dns_zone_editor module, where improper validation of a user-supplied string before a system call enables remote code execution with root privileges. Impact is high (RCE, root, network exploit) and requires authentication to exploit. The entry is co...

8.8CVSS9.1AI score0.02126EPSS
CVE
CVE
added 2019/09/10 3:22 p.m.55 views

CVE-2019-14728

CVE-2019-14728 affects CentOS Web Panel (CWP) 0.9.8.851. The vulnerability is an insecure object reference that lets an attacker, with an attacker account, add an e-mail forwarding destination to a victim’s account. The root cause is improper authorization/object reference handling in the CWP int...

4.3CVSS4.6AI score0.015EPSS
CVE
CVE
added 2020/07/28 5:1 p.m.55 views

CVE-2020-15420

CVE-2020-15420 affects CentOS Web Panel (cwp-el7-0.9.8.891). The flaw is in loader_ajax.php when parsing the line parameter, which is used to execute a system call without proper validation. This leads to remote code execution with root privileges and requires no authentication. The issue is docu...

10CVSS9.6AI score0.08083EPSS
CVE
CVE
added 2019/08/21 6:55 p.m.54 views

CVE-2019-13477

CWP Control Web Panel version 0.9.8.837 is affected by a Cross-Site Request Forgery (CSRF) vulnerability in the Forgot Password feature, enabling an attacker to change the root password. Root cause: CSRF in the forgot-password flow exposes account password changes to unauthorized requests. Impact...

8.8CVSS8.7AI score0.00721EPSS
Web
Total number of security vulnerabilities85