CVE-2022-44877
Severity CVSS v4.0:
Pending analysis
Type:
CWE-78
OS Command Injections
Publication date:
05/01/2023
Last modified:
14/03/2025
Description
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:control-webpanel:webpanel:*:*:*:*:*:*:*:* | 0.9.8.1147 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/170388/Control-Web-Panel-7-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/170820/Control-Web-Panel-Unauthenticated-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/171725/Control-Web-Panel-7-CWP7-0.9.8.1147-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2023/Jan/1
- https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386
- https://www.youtube.com/watch?v=kiLfSvc1SYY
- http://packetstormsecurity.com/files/170388/Control-Web-Panel-7-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/170820/Control-Web-Panel-Unauthenticated-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/171725/Control-Web-Panel-7-CWP7-0.9.8.1147-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2023/Jan/1
- https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386
- https://www.youtube.com/watch?v=kiLfSvc1SYY