Control-Webpanel: >> Webpanel >> 0.9.8.837 Security Vulnerabilities
CVE-2022-44877
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
Known exploited
CVSS Score
9.8
EPSS Score
0.944
Published
2023-01-05
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder.
CVSS Score
9.8
EPSS Score
0.138
Published
2022-12-26
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%00./api/account_new_create could also be used for the scripts parameter.
CVSS Score
9.8
EPSS Score
0.188
Published
2022-12-26
A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request.
CVSS Score
9.8
EPSS Score
0.011
Published
2022-07-07
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, XSS in the domain parameter allows a low-privilege user to achieve root access via the email list page.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-08-21
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account.
CVSS Score
8.8
EPSS Score
0.001
Published
2019-08-21