Centos Webpanel Centos Web Panel
By the Year
In 2024 there have been 0 vulnerabilities in Centos Webpanel Centos Web Panel . Last year Centos Web Panel had 1 security vulnerability published. Right now, Centos Web Panel is on track to have less security vulnerabilities in 2024 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 1 | 9.80 |
2022 | 2 | 9.80 |
2021 | 2 | 9.80 |
2020 | 1 | 9.80 |
2019 | 30 | 5.83 |
2018 | 8 | 7.41 |
It may take a day or so for new Centos Web Panel vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Centos Webpanel Centos Web Panel Security Vulnerabilities
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147
CVE-2022-44877
9.8 - Critical
- January 05, 2023
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
Shell injection
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers
CVE-2021-45466
9.8 - Critical
- December 26, 2022
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder.
AuthZ
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker
CVE-2021-45467
9.8 - Critical
- December 26, 2022
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%00./api/account_new_create could also be used for the scripts parameter.
The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection
CVE-2021-31316
9.8 - Critical
- May 18, 2021
The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter.
SQL Injection
The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution.
CVE-2021-31324
9.8 - Critical
- May 18, 2021
The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution.
Shell injection
CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7)
CVE-2020-10230
9.8 - Critical
- March 16, 2020
CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) allows SQL Injection via the /cwp_{SESSION_HASH}/admin/loader_ajax.php term parameter.
SQL Injection
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.864
CVE-2019-15235
6.5 - Medium
- December 17, 2019
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.864 allows an attacker to get a victim's session file name from /home/[USERNAME]/tmp/session/sess_xxxxxx, and the victim's token value from /usr/local/cwpsrv/logs/access_log, then use them to gain access to the victim's password (for the OS and phpMyAdmin) via an attacker account. This is different from CVE-2019-14782.
Insertion of Sensitive Information into Log File
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.856 through 0.9.8.864
CVE-2019-14782
6.5 - Medium
- December 17, 2019
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.856 through 0.9.8.864 allows an attacker to get a victim's session file name from the /tmp directory, and the victim's token value from /usr/local/cwpsrv/logs/access_log, then use them to make a request to extract the victim's password (for the OS and phpMyAdmin) via an attacker account.
Insertion of Sensitive Information into Log File
Stored XSS in filemanager2.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.885 exists via the cmd_arg parameter
CVE-2019-16295
4.6 - Medium
- October 31, 2019
Stored XSS in filemanager2.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.885 exists via the cmd_arg parameter. This can be exploited by a local attacker who supplies a crafted filename within a directory visited by the victim.
XSS
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference
CVE-2019-14724
7.5 - High
- September 11, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to edit an e-mail forwarding destination of a victim's account via an attacker account.
Insecure Direct Object Reference / IDOR
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference
CVE-2019-14725
4.3 - Medium
- September 11, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to change the e-mail usage value of a victim account via an attacker account.
Insecure Direct Object Reference / IDOR
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference
CVE-2019-14728
4.3 - Medium
- September 10, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to add an e-mail forwarding destination to a victim's account via an attacker account.
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference
CVE-2019-14723
4.3 - Medium
- September 10, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete a victim's e-mail account via an attacker account.
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference
CVE-2019-14727
4.3 - Medium
- September 10, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to change the e-mail password of a victim account via an attacker account.
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference
CVE-2019-14726
5.4 - Medium
- September 10, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to access and delete DNS records of a victim's account via an attacker account.
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference
CVE-2019-14722
4.3 - Medium
- September 10, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete an e-mail forwarding destination from a victim's account via an attacker account.
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference
CVE-2019-14721
6.5 - Medium
- September 10, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to remove a target user from phpMyAdmin via an attacker account.
Insecure Direct Object Reference / IDOR
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference
CVE-2019-14729
4.3 - Medium
- September 10, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete a sub-domain from a victim's account via an attacker account.
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference
CVE-2019-14730
4.3 - Medium
- September 10, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete a domain from a victim's account via an attacker account.
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, XSS in the domain parameter
CVE-2019-13476
5.4 - Medium
- August 21, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, XSS in the domain parameter allows a low-privilege user to achieve root access via the email list page.
XSS
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function
CVE-2019-13477
8.8 - High
- August 21, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account.
Session Riding
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference
CVE-2019-14246
6.5 - Medium
- August 21, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account.
Insecure Direct Object Reference / IDOR
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference
CVE-2019-14245
6.5 - Medium
- August 21, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete databases (such as oauthv2) from the server via an attacker account.
Insecure Direct Object Reference / IDOR
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login process
CVE-2019-13599
5.3 - Medium
- August 21, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times.
Side Channel Attack
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, Reflected XSS in filemanager2.php (parameter fm_current_dir)
CVE-2019-13387
6.1 - Medium
- July 26, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, Reflected XSS in filemanager2.php (parameter fm_current_dir) allows attackers to steal a cookie or session, or redirect to a phishing website.
XSS
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, a hidden action=9 feature in filemanager2.php
CVE-2019-13386
8.8 - High
- July 26, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, a hidden action=9 feature in filemanager2.php allows attackers to execute a shell command, i.e., obtain a reverse shell with user privilege.
AuthZ
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.840, File and Directory Information Exposure in filemanager
CVE-2019-13385
4.3 - Medium
- July 26, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.840, File and Directory Information Exposure in filemanager allows attackers to enumerate users and check for active users of the application by reading /tmp/login.log.
Directory traversal
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie
CVE-2019-13359
7.5 - High
- July 16, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory, and use it to become the root user.
Unrestricted File Upload
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers
CVE-2019-13605
8.8 - High
- July 16, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers can bypass authentication in the login process by leveraging the knowledge of a valid username. The attacker must defeat an encoding that is not equivalent to base64, and thus this is different from CVE-2019-13360.
Insecure Direct Object Reference / IDOR
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, the Login process
CVE-2019-13383
5.3 - Medium
- July 16, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, the Login process allows attackers to check whether a username is valid by reading the HTTP response.
Side Channel Attack
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers
CVE-2019-13360
9.8 - Critical
- July 16, 2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username.
Insecure Direct Object Reference / IDOR
XSS was discovered in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.747
CVE-2019-12190
5.4 - Medium
- May 21, 2019
XSS was discovered in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.747 via the testacc/fileManager2.php fm_current_dir or filename parameter.
XSS
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version)
CVE-2019-11429
4.8 - Medium
- May 13, 2019
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version), 0.9.8.753 (Pro) and 0.9.8.807 (Pro) is vulnerable to Reflected XSS for the "Domain" field on the "DNS Functions > "Add DNS Zone" screen.
XSS
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version) and 0.9.8.753 (Pro) is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings > "Edit Settings" screen
CVE-2019-10893
4.8 - Medium
- April 18, 2019
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version) and 0.9.8.753 (Pro) is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings > "Edit Settings" screen. By changing the email ID to any XSS Payload and clicking on Save Changes, the XSS Payload will execute.
XSS
CentOS Web Panel (CWP) 0.9.8.789 is vulnerable to Stored/Persistent XSS for the "Name Server 1" and "Name Server 2" fields
CVE-2019-10261
4.8 - Medium
- April 03, 2019
CentOS Web Panel (CWP) 0.9.8.789 is vulnerable to Stored/Persistent XSS for the "Name Server 1" and "Name Server 2" fields via a "DNS Functions" "Edit Nameservers IPs" action.
XSS
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.763 is vulnerable to Stored/Persistent XSS for the "Package Name" field
CVE-2019-7646
4.8 - Medium
- March 26, 2019
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.763 is vulnerable to Stored/Persistent XSS for the "Package Name" field via the add_package module parameter.
XSS
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740
CVE-2018-18774
6.1 - Medium
- November 20, 2018
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows XSS via the admin/index.php module parameter.
XSS
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740
CVE-2018-18773
8.8 - High
- November 20, 2018
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password.
Session Riding
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740
CVE-2018-18772
8.8 - High
- November 20, 2018
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command.
Session Riding
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has XSS
CVE-2018-18324
6.1 - Medium
- October 15, 2018
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has XSS via the admin/fileManager2.php fm_current_dir parameter, or the admin/index.php module, service_start, service_fullstatus, service_restart, service_stop, or file (within the file_editor) parameter.
XSS
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local File Inclusion
CVE-2018-18323
7.5 - High
- October 15, 2018
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local File Inclusion via directory traversal with an admin/index.php?module=file_editor&file=/../ URI.
Directory traversal
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection
CVE-2018-18322
9.8 - Critical
- October 15, 2018
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart, service_fullstatus, or service_stop parameter.
Shell injection
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS
CVE-2018-5961
6.1 - Medium
- January 22, 2018
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the `module` value of the `index.php` file.
XSS
index.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS
CVE-2018-5962
6.1 - Medium
- January 22, 2018
index.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the id parameter to the phpini_editor module or the email_address parameter to the mail_add-new module.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Control Webpanel Webpanel or by Centos Webpanel? Click the Watch button to subscribe.