Lucene search
PRIOn knowledge basePRION:CVE-2021-45467HistoryDec 26, 2022 - 5:15 a.m.
Code injection
2022-12-2605:15:00
PRIOn knowledge base
www.prio-n.com
4
code injection
cwp
unauthenticated
api key
centos web panel
security vulnerability
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%00./api/account_new_create could also be used for the scripts parameter.
| CPE | Name | Operator | Version |
|---|---|---|---|
| webpanel | lt | 0.9.8.1107 |
Related
cve
cve
CVE-2021-45467
2022-12-26 05:15:10
cvelist
cvelist
CVE-2021-45467
2022-12-26 00:00:00
thn
thn
Ebury Botnet Malware Compromises 400,000 Linux Servers Over Past 14 Years
2024-05-15 10:56:00
Critical Bugs in Control Web Panel Expose Linux Servers to RCE Attacks
2022-01-22 04:04:00
nvd
nvd
CVE-2021-45467
2022-12-26 05:15:10
checkpoint_advisories
checkpoint_advisories
CWP Panel Remote Code Execution (CVE-2021-45467; CVE-2021-45466)
2022-02-27 00:00:00
threatpost
threatpost
Linux Servers at Risk of RCE Due to Critical CWP Bugs
2022-01-24 23:08:56
Skeletons in the Closet: Security 101 Takes a Backseat to 0-days
2022-04-22 10:56:16