Maxime Rinaudo

**Name of the Vulnerable Software and Affected Versions** CWP (aka Control Web Panel or CentOS Web Panel) versions prior to 0.9.8.1205 **Description** CWP (Control Web Panel) is susceptible to an unauthenticated remote code execution vulnerability. An attacker with knowledge of a valid, non-root username can exploit this flaw by sending a specially crafted request to the `/admin/loader ajax.php?ajax=filemanager&acc=changePerm` endpoint. The vulnerability resides in the insufficient filtering of the `t total` parameter, allowing shell metacharacters to be injected and executed on the server. This can lead to complete control of the server, including the ability to install backdoors, steal data, and move laterally within the network. Reports indicate active exploitation of this vulnerability, with over 1.8 million potentially vulnerable instances identified. The vulnerability allows attackers to bypass authentication and execute arbitrary commands. **Recommendations** Upgrade CWP to version 0.9.8.1205 or later immediately. Restrict network access to CWP interfaces and implement firewall/ACLs.

**Name of the Vulnerable Software and Affected Versions** OBS service obs-service-download url (affected versions not specified) **Description** The OBS service obs-service-download url was vulnerable to a command injection issue. An attacker could provide a configuration to the service that allowed executing commands in later steps. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.