Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Webpanel
(Control\-Webpanel)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 80 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-05-18 | CVE-2021-31324 | The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution. | Webpanel | 9.8 | ||
| 2022-07-07 | CVE-2022-25046 | A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request. | Webpanel | 9.8 | ||
| 2022-07-07 | CVE-2022-25047 | The password reset token in CWP v0.9.8.1126 is generated using known or predictable values. | Webpanel | 5.9 | ||
| 2022-07-07 | CVE-2022-25048 | Command injection vulnerability in CWP v0.9.8.1126 that allows normal users to run commands as the root user. | Webpanel | 8.8 | ||
| 2022-12-26 | CVE-2021-45466 | In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder. | Webpanel | 9.8 | ||
| 2022-12-26 | CVE-2021-45467 | In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%00./api/account_new_create could also be used for the scripts parameter. | Webpanel | 9.8 | ||
| 2019-07-26 | CVE-2019-13387 | In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, Reflected XSS in filemanager2.php (parameter fm_current_dir) allows attackers to steal a cookie or session, or redirect to a phishing website. | Webpanel | 6.1 | ||
| 2018-01-22 | CVE-2018-5961 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the `module` value of the `index.php` file. | Webpanel | 6.1 | ||
| 2018-01-22 | CVE-2018-5962 | index.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the id parameter to the phpini_editor module or the email_address parameter to the mail_add-new module. | Webpanel | 6.1 | ||
| 2018-10-15 | CVE-2018-18322 | CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart, service_fullstatus, or service_stop parameter. | Webpanel | 9.8 |