Control-Webpanel: >> Webpanel >> 0.9.8 Security Vulnerabilities
CVE-2022-44877
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
Known exploited
CVSS Score
9.8
EPSS Score
0.944
Published
2023-01-05
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder.
CVSS Score
9.8
EPSS Score
0.138
Published
2022-12-26
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%00./api/account_new_create could also be used for the scripts parameter.
CVSS Score
9.8
EPSS Score
0.188
Published
2022-12-26
A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request.
CVSS Score
9.8
EPSS Score
0.011
Published
2022-07-07
XSS was discovered in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.747 via the testacc/fileManager2.php fm_current_dir or filename parameter.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-05-21
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.763 is vulnerable to Stored/Persistent XSS for the "Package Name" field via the add_package module parameter.
CVSS Score
4.8
EPSS Score
0.005
Published
2019-03-26
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command.
CVSS Score
8.8
EPSS Score
0.006
Published
2018-11-20
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password.
CVSS Score
8.8
EPSS Score
0.005
Published
2018-11-20
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows XSS via the admin/index.php module parameter.
CVSS Score
6.1
EPSS Score
0.045
Published
2018-11-20
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the `module` value of the `index.php` file.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-01-22
Page 1