Credentials management in CentOS Web Panel

#VU35601 Credentials management in CentOS Web Panel

Published: 2019-08-21 | Updated: 2020-08-08

Vulnerability identifier: #VU35601

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-14246

CWE-ID: CWE-255

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
CentOS Web Panel
Web applications / CMS

Vendor: CentOS Web Panel

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account.

Mitigation
Install update from vendor's website.

Vulnerable software versions

CentOS Web Panel: 0.9.8.851

External links
http://packetstormsecurity.com/files/154156/CentOS-Control-Web-Panel-CWP-0.9.8.851-phpMyAdmin-Password-Change.html
http://packetstormsecurity.com/files/154156/CentOS-WebPanel.com-CentOS-Control-Web-Panel-CWP-0.9.8.851-phpMyAdmin-Password-Change.html
http://packetstormsecurity.com/files/154156/CentOS-WebPanel.com-Control-Web-Panel-CWP-0.9.8.851-phpMyAdmin-Password-Change.html
http://centos-webpanel.com/changelog-cwp7

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in CentOS Web Panel