Vulnerabilities > Control Webpanel

DATE CVE VULNERABILITY TITLE RISK
2023-01-05 CVE-2022-44877 OS Command Injection vulnerability in Control-Webpanel Webpanel
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
network
low complexity
control-webpanel CWE-78
critical
9.8
2022-12-26 CVE-2021-45466 Incorrect Authorization vulnerability in Control-Webpanel Webpanel
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder.
network
low complexity
control-webpanel CWE-863
critical
9.8
2022-12-26 CVE-2021-45467 Unspecified vulnerability in Control-Webpanel Webpanel
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI.
network
low complexity
control-webpanel
critical
9.8
2022-07-07 CVE-2022-25046 Path Traversal vulnerability in Control-Webpanel Webpanel
A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request.
network
low complexity
control-webpanel CWE-22
critical
9.8
2022-07-07 CVE-2022-25047 Use of Insufficiently Random Values vulnerability in Control-Webpanel Webpanel 0.9.8.1126
The password reset token in CWP v0.9.8.1126 is generated using known or predictable values.
network
high complexity
control-webpanel CWE-330
5.9
2022-07-07 CVE-2022-25048 OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.1126
Command injection vulnerability in CWP v0.9.8.1126 that allows normal users to run commands as the root user.
network
low complexity
control-webpanel CWE-78
8.8
2021-05-18 CVE-2021-31316 SQL Injection vulnerability in Control-Webpanel Webpanel
The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter.
network
low complexity
control-webpanel CWE-89
critical
9.8
2021-05-18 CVE-2021-31324 OS Command Injection vulnerability in Control-Webpanel Webpanel
The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution.
network
low complexity
control-webpanel CWE-78
critical
9.8
2020-07-28 CVE-2020-15628 SQL Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923.
network
low complexity
control-webpanel CWE-89
7.5
2020-07-28 CVE-2020-15627 SQL Injection vulnerability in Control-Webpanel Webpanel 0.9.8.923
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923.
network
low complexity
control-webpanel CWE-89
7.5