Multiple vulnerabilities in CentOS Web Panel



Published: 2020-06-26 | Updated: 2020-06-30
Risk High
Patch available NO
Number of vulnerabilities 39
CVE-ID CVE-2020-15608
CVE-2020-15609
CVE-2020-15610
CVE-2020-15611
CVE-2020-15612
CVE-2020-15613
CVE-2020-15614
CVE-2020-15420
CVE-2020-15421
CVE-2020-15422
CVE-2020-15423
CVE-2020-15424
CVE-2020-15425
CVE-2020-15426
CVE-2020-15427
CVE-2020-15428
CVE-2020-15429
CVE-2020-15430
CVE-2020-15431
CVE-2020-15432
CVE-2020-15433
CVE-2020-15434
CVE-2020-15435
CVE-2020-15606
CVE-2020-15607
CWE-ID CWE-89
CWE-77
CWE-22
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
CentOS Web Panel
Web applications / CMS

Vendor CentOS Web Panel

Security Bulletin

This security bulletin contains information about 39 vulnerabilities.

Updated 29.06.2020
Added vulnerabilities #15-21
Updated 30.06.2020
Added vulnerabilities #22-39

1) SQL injection

EUVDB-ID: #VU29316

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "user" parameter in "ajax_mail_autoreply.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-775/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Command Injection

EUVDB-ID: #VU29329

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation within "ajax_ftp_manager.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-762/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) SQL injection

EUVDB-ID: #VU29328

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "package" parameter in "ajax_list_accounts.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-763/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) SQL injection

EUVDB-ID: #VU29327

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "status" parameter in "ajax_list_accounts.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-764/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) SQL injection

EUVDB-ID: #VU29326

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "username" parameter in "ajax_list_accounts.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-765/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) SQL injection

EUVDB-ID: #VU29325

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "type" parameter in "ajax_list_accounts.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-766/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) SQL injection

EUVDB-ID: #VU29324

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "is" parameter in "ajax_list_accounts.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-767/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) SQL injection

EUVDB-ID: #VU29323

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "email" parameter in "ajax_mail_autoreply.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-768/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) SQL injection

EUVDB-ID: #VU29322

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "search" parameter in "ajax_mail_autoreply.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-769/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Path traversal

EUVDB-ID: #VU29321

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within "ajax_mod_security.php" in "archivo" parameter. A remote attacker can send a specially crafted HTTP request and execute arbitrary code on the system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-770/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) SQL injection

EUVDB-ID: #VU29320

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "domain" parameter in "ajax_new_account.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-771/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) SQL injection

EUVDB-ID: #VU29319

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "username" parameter in "ajax_add_mailbox.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-772/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) SQL injection

EUVDB-ID: #VU29318

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "term" parameter in "ajax_dashboard.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-773/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) SQL injection

EUVDB-ID: #VU29317

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "account" parameter in "ajax_mail_autoreply.php". A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-774/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Command Injection

EUVDB-ID: #VU29358

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15608

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "ai_service" parameter in "ajax_dashboard.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-755/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Command Injection

EUVDB-ID: #VU29357

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15609

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "service_stop" parameter in "ajax_dashboard.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-756/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Command Injection

EUVDB-ID: #VU29355

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15610

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "modulo" parameter in "ajax_php_pecl.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-757/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Command Injection

EUVDB-ID: #VU29354

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15611

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "service_restart" parameter in "ajax_dashboard.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-758/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Command Injection

EUVDB-ID: #VU29353

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15612

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "userLogin" parameter in "ajax_ftp_manager.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-759/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Command Injection

EUVDB-ID: #VU29352

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15613

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "line" parameter in "ajax_admin_apis.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-760/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Command Injection

EUVDB-ID: #VU29351

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15614

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "cha" parameter in "ajax_php_pecl.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-761/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Command Injection

EUVDB-ID: #VU29413

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15420

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "line" parameter in "loader_ajax.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-737/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Command Injection

EUVDB-ID: #VU29412

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15421

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "check_ip" parameter in "ajax_mod_security.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-738/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Command Injection

EUVDB-ID: #VU29411

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15422

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "archivo" parameter in "ajax_mod_security.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-739/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Command Injection

EUVDB-ID: #VU29410

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15423

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "dominio" parameter in "ajax_mod_security.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-740/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Command Injection

EUVDB-ID: #VU29409

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15424

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "domain" parameter in "ajax_mod_security.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-741/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Command Injection

EUVDB-ID: #VU29408

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15425

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in "ajax_mod_security.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-742/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Command Injection

EUVDB-ID: #VU29407

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15426

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "serverip" parameter in "ajax_migration_cpanel.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-743/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Command Injection

EUVDB-ID: #VU29406

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15427

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "folderName" parameter in "ajax_disk_usage.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-744/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Command Injection

EUVDB-ID: #VU29405

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15428

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "line" parameter in "ajax_crons.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-745/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Command Injection

EUVDB-ID: #VU29404

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15429

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "user" parameter in "ajax_crons.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-746/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Command Injection

EUVDB-ID: #VU29403

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15430

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "username" parameter in "ajax_list_accounts.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-747/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Command Injection

EUVDB-ID: #VU29402

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15431

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "user" parameter in "ajax_crons.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-748/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Command Injection

EUVDB-ID: #VU29401

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15432

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "filespace" parameter in "ajax_migration_cpanel.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-749/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Command Injection

EUVDB-ID: #VU29400

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15433

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "phpversion" parameter in "ajax_php_pecl.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-750/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Command Injection

EUVDB-ID: #VU29399

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15434

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "canal" parameter in "ajax_php_pecl.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-751/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) Command Injection

EUVDB-ID: #VU29398

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15435

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "service_start" parameter in "ajax_dashboard.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-752/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Command Injection

EUVDB-ID: #VU29397

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15606

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in "ajax_admin_apis.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-753/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Command Injection

EUVDB-ID: #VU29396

Risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15607

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "line" parameter in "ajax_admin_apis.php". A remote attacker can send a specially crafted data and execute arbitrary commands on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

CentOS Web Panel: All versions


CPE2.3 External links

http://www.zerodayinitiative.com/advisories/ZDI-20-754/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###