Multiple vulnerabilities in CentOS Web Panel
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 39 |
| CVE-ID | CVE-2020-15608 CVE-2020-15609 CVE-2020-15610 CVE-2020-15611 CVE-2020-15612 CVE-2020-15613 CVE-2020-15614 CVE-2020-15420 CVE-2020-15421 CVE-2020-15422 CVE-2020-15423 CVE-2020-15424 CVE-2020-15425 CVE-2020-15426 CVE-2020-15427 CVE-2020-15428 CVE-2020-15429 CVE-2020-15430 CVE-2020-15431 CVE-2020-15432 CVE-2020-15433 CVE-2020-15434 CVE-2020-15435 CVE-2020-15606 CVE-2020-15607 |
| CWE-ID | CWE-89 CWE-77 CWE-22 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
CentOS Web Panel Web applications / CMS |
| Vendor | CentOS Web Panel |
Security Bulletin
This security bulletin contains information about 39 vulnerabilities.
Updated 29.06.2020
Added vulnerabilities #15-21
Updated 30.06.2020
Added vulnerabilities #22-39
1) SQL injection
EUVDB-ID: #VU29316
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "user" parameter in "ajax_mail_autoreply.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-775/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Command Injection
EUVDB-ID: #VU29329
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation within "ajax_ftp_manager.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-762/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) SQL injection
EUVDB-ID: #VU29328
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "package" parameter in "ajax_list_accounts.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-763/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) SQL injection
EUVDB-ID: #VU29327
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "status" parameter in "ajax_list_accounts.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-764/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) SQL injection
EUVDB-ID: #VU29326
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "username" parameter in "ajax_list_accounts.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-765/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) SQL injection
EUVDB-ID: #VU29325
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "type" parameter in "ajax_list_accounts.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-766/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) SQL injection
EUVDB-ID: #VU29324
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "is" parameter in "ajax_list_accounts.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-767/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) SQL injection
EUVDB-ID: #VU29323
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "email" parameter in "ajax_mail_autoreply.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-768/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) SQL injection
EUVDB-ID: #VU29322
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "search" parameter in "ajax_mail_autoreply.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-769/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Path traversal
EUVDB-ID: #VU29321
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within "ajax_mod_security.php" in "archivo" parameter. A remote attacker can send a specially crafted HTTP request and execute arbitrary code on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-770/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) SQL injection
EUVDB-ID: #VU29320
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "domain" parameter in "ajax_new_account.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-771/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) SQL injection
EUVDB-ID: #VU29319
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "username" parameter in "ajax_add_mailbox.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-772/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) SQL injection
EUVDB-ID: #VU29318
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "term" parameter in "ajax_dashboard.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-773/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) SQL injection
EUVDB-ID: #VU29317
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "account" parameter in "ajax_mail_autoreply.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-774/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Command Injection
EUVDB-ID: #VU29358
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15608
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "ai_service" parameter in "ajax_dashboard.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-755/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Command Injection
EUVDB-ID: #VU29357
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15609
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "service_stop" parameter in "ajax_dashboard.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-756/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Command Injection
EUVDB-ID: #VU29355
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15610
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "modulo" parameter in "ajax_php_pecl.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-757/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Command Injection
EUVDB-ID: #VU29354
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15611
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "service_restart" parameter in "ajax_dashboard.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-758/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Command Injection
EUVDB-ID: #VU29353
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15612
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "userLogin" parameter in "ajax_ftp_manager.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-759/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Command Injection
EUVDB-ID: #VU29352
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15613
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "line" parameter in "ajax_admin_apis.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-760/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Command Injection
EUVDB-ID: #VU29351
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15614
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "cha" parameter in "ajax_php_pecl.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-761/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Command Injection
EUVDB-ID: #VU29413
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15420
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "line" parameter in "loader_ajax.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-737/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Command Injection
EUVDB-ID: #VU29412
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15421
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "check_ip" parameter in "ajax_mod_security.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-738/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Command Injection
EUVDB-ID: #VU29411
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15422
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "archivo" parameter in "ajax_mod_security.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-739/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Command Injection
EUVDB-ID: #VU29410
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15423
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "dominio" parameter in "ajax_mod_security.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-740/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Command Injection
EUVDB-ID: #VU29409
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15424
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "domain" parameter in "ajax_mod_security.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-741/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Command Injection
EUVDB-ID: #VU29408
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15425
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in "ajax_mod_security.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-742/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Command Injection
EUVDB-ID: #VU29407
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15426
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "serverip" parameter in "ajax_migration_cpanel.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-743/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) Command Injection
EUVDB-ID: #VU29406
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15427
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "folderName" parameter in "ajax_disk_usage.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-744/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Command Injection
EUVDB-ID: #VU29405
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15428
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "line" parameter in "ajax_crons.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-745/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
31) Command Injection
EUVDB-ID: #VU29404
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15429
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "user" parameter in "ajax_crons.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-746/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
32) Command Injection
EUVDB-ID: #VU29403
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15430
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "username" parameter in "ajax_list_accounts.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-747/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
33) Command Injection
EUVDB-ID: #VU29402
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15431
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
Description
The vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "user" parameter in "ajax_crons.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-748/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
34) Command Injection
EUVDB-ID: #VU29401
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15432
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "filespace" parameter in "ajax_migration_cpanel.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-749/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
35) Command Injection
EUVDB-ID: #VU29400
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15433
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "phpversion" parameter in "ajax_php_pecl.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-750/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
36) Command Injection
EUVDB-ID: #VU29399
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15434
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "canal" parameter in "ajax_php_pecl.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-751/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
37) Command Injection
EUVDB-ID: #VU29398
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15435
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
Description
The vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "service_start" parameter in "ajax_dashboard.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-752/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
38) Command Injection
EUVDB-ID: #VU29397
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15606
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in "ajax_admin_apis.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-753/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
39) Command Injection
EUVDB-ID: #VU29396
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15607
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper input validation in the "line" parameter in "ajax_admin_apis.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCentOS Web Panel: All versions
External linkshttp://www.zerodayinitiative.com/advisories/ZDI-20-754/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
