PT-2025-31689 · Zpanel · Zpanel
Published
2025-08-01
·
Updated
2025-08-04
·
CVE-2013-10053
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
ZPanel version 10.0.0.2
Description
A remote command execution issue exists in the htpasswd module. The
inHTUsername field, when creating .htaccess files, is passed to a system() call without proper sanitization, which invokes the system’s htpasswd binary. An authenticated attacker can execute arbitrary system commands by injecting shell metacharacters into the username field. Exploitation requires a valid ZPanel account within the Users, Resellers, or Administrators groups, but does not require elevated privileges.Recommendations
Ensure the
inHTUsername field is properly sanitized before being passed to the system() call when creating .htaccess files.Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zpanel