CVE-2021-45467

Name of the Vulnerable Software and Affected Versions CentOS Web Panel versions prior to 0.9.8.1107

Description The issue is related to incorrect handling of code generation in CentOS Web Panel, allowing a remote attacker to execute arbitrary code using a specially crafted request. An unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key. For example, a URI like /user/loader.php?api=1&scripts= .%00./.%00./api/account new create&acc=guadaapi can be used. Any number of %00 instances can be used for the scripts parameter.

Recommendations For versions prior to 0.9.8.1107, update to version 0.9.8.1107 or later to resolve the issue. As a temporary workaround, consider restricting access to the /user/loader.php endpoint until a patch is applied. Avoid using the scripts parameter in the affected API endpoint until the issue is resolved.