CVSS: 7.5EPSS: 0%CPEs: 55EXPL: 1CVE-2019-19906 – cyrus-sasl: denial of service in _sasl_add_string function
https://notcve.org/view.php?id=CVE-2019-19906
cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet. The OpenLDAP crash is ultimately caused by an off-by-one error in _sasl_add_string in common.c in cyrus-sasl. cyrus-sasl (también se conoce como Cyrus SASL) versión 2.1.27, presenta una escritura fuera de límites conllevando a una denegación de servicio remota no autenticada en OpenLDAP por medio de un paquete LDAP malformado. El bloqueo de OpenLDAP es causado en última instancia por un error por un paso en la función _sasl_add_string en el archivo common.c en cyrus-sasl. • http://seclists.org/fulldisclosure/2020/Jul/23 http://seclists.org/fulldisclosure/2020/Jul/24 http://www.openwall.com/lists/oss-security/2022/02/23/4 https://github.com/cyrusimap/cyrus-sasl/issues/587 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E https://lists.debian.org/debian-lts-announce/2019/12/msg00027.h • CWE-193: Off-by-one Error CWE-400: Uncontrolled Resource Consumption CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 2%CPEs: 1EXPL: 3CVE-2019-14246 – CentOS-WebPanel.com Control Web Panel (CWP) 0.9.8.851 phpMyAdmin Password Change
https://notcve.org/view.php?id=CVE-2019-14246
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account. En CentOS-WebPanel.com (también conocido como CWP) CentOS Web Panel versión 0.9.8.851, una referencia de objeto insegura permite a un atacante descubrir contraseñas phpMyAdmin (de cualquier usuario en / etc / passwd) a través de una cuenta de atacante. CentOS-WebPanel.com Control Web Panel (CWP) version 0.9.8.851 allows an attacker to change arbitrary passwords. • http://packetstormsecurity.com/files/154156/CentOS-Control-Web-Panel-CWP-0.9.8.851-phpMyAdmin-Password-Change.html http://packetstormsecurity.com/files/154156/CentOS-WebPanel.com-CentOS-Control-Web-Panel-CWP-0.9.8.851-phpMyAdmin-Password-Change.html http://packetstormsecurity.com/files/154156/CentOS-WebPanel.com-Control-Web-Panel-CWP-0.9.8.851-phpMyAdmin-Password-Change.html https://centos-webpanel.com/changelog-cwp7 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 3CVE-2019-14245 – CentOS-WebPanel.com Control Web Panel (CWP) 0.9.8.851 Arbitrary Database Drop
https://notcve.org/view.php?id=CVE-2019-14245
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete databases (such as oauthv2) from the server via an attacker account. En CentOS-WebPanel.com (también conocido como CWP) CentOS Web Panel versión 0.9.8.851, una referencia de objeto insegura permite a un atacante eliminar bases de datos (como oauthv2) del servidor a través de una cuenta de atacante. CentOS-WebPanel.com Control Web Panel (CWP) version 0.9.8.851 suffers from an arbitrary database dropping vulnerability. • http://packetstormsecurity.com/files/154155/CentOS-Control-Web-Panel-CWP-0.9.8.851-Arbitrary-Database-Drop.html http://packetstormsecurity.com/files/154155/CentOS-WebPanel.com-CentOS-Control-Web-Panel-CWP-0.9.8.851-Arbitrary-Database-Drop.html http://packetstormsecurity.com/files/154155/CentOS-WebPanel.com-Control-Web-Panel-CWP-0.9.8.851-Arbitrary-Database-Drop.html https://centos-webpanel.com/changelog-cwp7 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-13386 – CentOS-WebPanel.com Control Web Panel 0.9.8.836 Remote Command Execution
https://notcve.org/view.php?id=CVE-2019-13386
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, a hidden action=9 feature in filemanager2.php allows attackers to execute a shell command, i.e., obtain a reverse shell with user privilege. En CentOS Web Panel de CentOS-WebPanel.com (también se conoce como CWP) versión 0.9.8.846, una característica action=9 oculta en el archivo filemanager2.php, permite a los atacantes ejecutar un comando de shell, es decir, obtener un shell inverso con privilegios de usuario. CentOS-WebPanel.com Control Web Panel (CWP) version 0.9.8.836 suffers from a remote command execution vulnerability. • http://packetstormsecurity.com/files/153876/CentOS-Control-Web-Panel-0.9.8.836-Remote-Command-Execution.html https://centos-webpanel.com/changelog-cwp7 https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13386.md • CWE-863: Incorrect Authorization •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 1CVE-2019-10893 – CentOS Web Panel 0.9.8.793 (Free) / 0.9.8.753 (Pro) - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-10893
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version) and 0.9.8.753 (Pro) is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings > "Edit Settings" screen. By changing the email ID to any XSS Payload and clicking on Save Changes, the XSS Payload will execute. CentOS-WebPanel.com (también conocido CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version) y 0.9.8.753 (Pro) es vulnerable a Corss-Site Scripting (XSS) almacenado/persistente en el campo "Admin Email" en la pantalla "CWP Settings > "Edit Settings". Cambiando el ID del email a cualquier payload XSS y clicando en "Save Changes", se ejecutará el payload XSS CentOS Web Panel versions 0.9.8.793 (Free) and 0.9.8.753 (Pro) suffer from an email field persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/46669 http://forum.centos-webpanel.com/informations http://packetstormsecurity.com/files/152437/CentOS-Web-Panel-0.9.8.793-Free-0.9.8.753-Pro-Cross-Site-Scripting.html http://www.securityfocus.com/bid/108035 https://packetstormsecurity.com/files/152437/centoswp098email-xss.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •