SB2020072852 - Multiple vulnerabilities in CentOS Web Panel
Published: July 28, 2020 Updated: August 5, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 secuirty vulnerabilities.
1) OS Command Injection (CVE-ID: CVE-2020-15615)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_ftp_manager.php. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9746.
2) SQL injection (CVE-ID: CVE-2020-15616)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_list_accounts.php. When parsing the package parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9706.
3) SQL injection (CVE-ID: CVE-2020-15617)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_list_accounts.php. When parsing the status parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9708.
4) SQL injection (CVE-ID: CVE-2020-15618)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_list_accounts.php. When parsing the username parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9717.
5) SQL injection (CVE-ID: CVE-2020-15619)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_list_accounts.php. When parsing the type parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9723.
6) SQL injection (CVE-ID: CVE-2020-15620)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_list_accounts.php. When parsing the id parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9741.
7) SQL injection (CVE-ID: CVE-2020-15621)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mail_autoreply.php. When parsing the email parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9711.
8) SQL injection (CVE-ID: CVE-2020-15622)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mail_autoreply.php. When parsing the search parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9712.
9) Exposed dangerous method or function (CVE-ID: CVE-2020-15623)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
This vulnerability allows remote attackers to write arbitrary files on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mod_security.php. When parsing the archivo parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9722.
10) SQL injection (CVE-ID: CVE-2020-15624)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_new_account.php. When parsing the domain parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9727.
11) SQL injection (CVE-ID: CVE-2020-15625)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_add_mailbox.php. When parsing the username parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9729.
12) SQL injection (CVE-ID: CVE-2020-15626)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_dashboard.php. When parsing the term parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9730.
13) SQL injection (CVE-ID: CVE-2020-15627)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mail_autoreply.php. When parsing the account parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9738.
14) SQL injection (CVE-ID: CVE-2020-15628)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mail_autoreply.php. When parsing the user parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9710.
Remediation
Install update from vendor's website.
References
- https://www.zerodayinitiative.com/advisories/ZDI-20-762/
- https://www.zerodayinitiative.com/advisories/ZDI-20-763/
- https://www.zerodayinitiative.com/advisories/ZDI-20-764/
- https://www.zerodayinitiative.com/advisories/ZDI-20-765/
- https://www.zerodayinitiative.com/advisories/ZDI-20-766/
- https://www.zerodayinitiative.com/advisories/ZDI-20-767/
- https://www.zerodayinitiative.com/advisories/ZDI-20-768/
- https://www.zerodayinitiative.com/advisories/ZDI-20-769/
- https://www.zerodayinitiative.com/advisories/ZDI-20-770/
- https://www.zerodayinitiative.com/advisories/ZDI-20-771/
- https://www.zerodayinitiative.com/advisories/ZDI-20-772/
- https://www.zerodayinitiative.com/advisories/ZDI-20-773/
- https://www.zerodayinitiative.com/advisories/ZDI-20-774/
- https://www.zerodayinitiative.com/advisories/ZDI-20-775/