CVE-2019-13360

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://packetstormsecurity.com/files/153665/CentOS-Control-Web-Panel-0.9.8.836-Authentication-Bypass.html	Third Party Advisory VDB Entry
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13360.md	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:control-webpanel:webpanel:0.9.8.836:*:*:*:*:*:*:*

History

24 Jan 2023, 18:57

Type	Values Removed	Values Added
First Time		Control-webpanel Control-webpanel webpanel
CPE	cpe:2.3:a:centos-webpanel:centos_web_panel:0.9.8.836:::::::*	cpe:2.3:a:control-webpanel:webpanel:0.9.8.836:::::::*

Information

Published : 2019-07-16 17:15

Updated : 2023-12-10 12:59

NVD link : CVE-2019-13360

Mitre link : CVE-2019-13360

CVE.ORG link : CVE-2019-13360

JSON object : View

Products Affected

control-webpanel

webpanel

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2019-13360", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-07-16T17:15:12.267", "references": [{"url": "http://packetstormsecurity.com/files/153665/CentOS-Control-Web-Panel-0.9.8.836-Authentication-Bypass.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13360.md", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username."}, {"lang": "es", "value": "En CentOS Web Panel versi\u00f3n 0.9.8.836 de CentOS-WebPanel.com (tambi\u00e9n se conoce como CWP), los atacantes remotos pueden omitir la autenticaci\u00f3n en el proceso de inicio de sesi\u00f3n mediante el aprovechamiento del conocimiento de un nombre de usuario v\u00e1lido."}], "lastModified": "2023-01-24T18:57:12.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:control-webpanel:webpanel:0.9.8.836:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4BC6A1C9-5200-439D-BD96-3153D69CEFD6"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}