CVE-2020-15422

Name of the Vulnerable Software and Affected Versions CentOS Web Panel versions cwp-e17.0.9.8.923

Description The issue is related to the implementation of the ajax mod security.php script in CentOS Web Panel, where the archivo parameter does not properly neutralize special elements in user-supplied input. This allows a remote attacker to execute arbitrary code without requiring authentication. The flaw exists within the ajax mod security.php script when parsing the archivo parameter, which does not validate the user-supplied string before using it to execute a system call. An attacker can leverage this to execute code in the context of root.

Recommendations For CentOS Web Panel version cwp-e17.0.9.8.923, consider disabling the ajax mod security.php script or restricting access to it until a patch is available. As a temporary workaround, avoid using the archivo parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.