Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Webpanel
(Control\-Webpanel)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 80 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-09-10 | CVE-2019-14727 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to change the e-mail password of a victim account via an attacker account. | Webpanel | 4.3 | ||
| 2019-09-10 | CVE-2019-14728 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to add an e-mail forwarding destination to a victim's account via an attacker account. | Webpanel | 4.3 | ||
| 2019-09-10 | CVE-2019-14729 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete a sub-domain from a victim's account via an attacker account. | Webpanel | 4.3 | ||
| 2019-09-10 | CVE-2019-14730 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete a domain from a victim's account via an attacker account. | Webpanel | 4.3 | ||
| 2019-09-11 | CVE-2019-14724 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to edit an e-mail forwarding destination of a victim's account via an attacker account. | Webpanel | 7.5 | ||
| 2019-09-11 | CVE-2019-14725 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to change the e-mail usage value of a victim account via an attacker account. | Webpanel | 4.3 | ||
| 2019-10-31 | CVE-2019-16295 | Stored XSS in filemanager2.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.885 exists via the cmd_arg parameter. This can be exploited by a local attacker who supplies a crafted filename within a directory visited by the victim. | Webpanel | 4.6 | ||
| 2019-12-17 | CVE-2019-14782 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.856 through 0.9.8.864 allows an attacker to get a victim's session file name from the /tmp directory, and the victim's token value from /usr/local/cwpsrv/logs/access_log, then use them to make a request to extract the victim's password (for the OS and phpMyAdmin) via an attacker account. | Webpanel | 6.5 | ||
| 2019-12-17 | CVE-2019-15235 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.864 allows an attacker to get a victim's session file name from /home/[USERNAME]/tmp/session/sess_xxxxxx, and the victim's token value from /usr/local/cwpsrv/logs/access_log, then use them to gain access to the victim's password (for the OS and phpMyAdmin) via an attacker account. This is different from CVE-2019-14782. | Webpanel | 6.5 | ||
| 2020-03-16 | CVE-2020-10230 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) allows SQL Injection via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter. | Webpanel | 9.8 |