PT-2019-13827 · Centos · Centos Web Panel
Published
2019-12-17
·
Updated
2023-01-24
·
CVE-2019-14782
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
CentOS Web Panel versions 0.9.8.856 through 0.9.8.864
Description
The issue allows an attacker to obtain a victim's session file name from the /tmp directory and the victim's token value from /usr/local/cwpsrv/logs/access log. This information can then be used to make a request and extract the victim's password for the OS and phpMyAdmin via an attacker's account.
Recommendations
For versions 0.9.8.856 through 0.9.8.864, update to a version that contains a fix for this issue to prevent exploitation.
Exploit
Fix
Insertion into Log File
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Centos Web Panel