Permissions, Privileges, and Access Controls in CentOS Web Panel - CVE-2019-14245
Published: August 21, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35600
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-14245
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: CentOS Web Panel
Affected software:
CentOS Web Panel
CentOS Web Panel
Detailed vulnerability description
The vulnerability allows a remote authenticated user to manipulate data.
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete databases (such as oauthv2) from the server via an attacker account.
How to mitigate CVE-2019-14245
Install update from vendor's website.
Sources
- http://packetstormsecurity.com/files/154155/CentOS-Control-Web-Panel-CWP-0.9.8.851-Arbitrary-Database-Drop.html
- http://packetstormsecurity.com/files/154155/CentOS-WebPanel.com-CentOS-Control-Web-Panel-CWP-0.9.8.851-Arbitrary-Database-Drop.html
- http://packetstormsecurity.com/files/154155/CentOS-WebPanel.com-Control-Web-Panel-CWP-0.9.8.851-Arbitrary-Database-Drop.html
- https://centos-webpanel.com/changelog-cwp7