CVE-2019-15235

Name of the Vulnerable Software and Affected Versions CentOS Web Panel version 0.9.8.864

Description The issue allows an attacker to obtain a victim's session file name from /home/[USERNAME]/tmp/session/sess xxxxxx and the victim's token value from /usr/local/cwpsrv/logs/access log. With this information, the attacker can gain access to the victim's password for both the operating system and phpMyAdmin through an attacker's account.

Recommendations For version 0.9.8.864, consider restricting access to the /home/[USERNAME]/tmp/session/ directory and the /usr/local/cwpsrv/logs/access log file to prevent unauthorized access to session and log data. As a temporary workaround, restrict the use of the sess xxxxxx session files until a patch is available.