CVE-2019-16295

low-risk
Published 2019-10-31

Stored XSS in filemanager2.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.885 exists via the cmd_arg parameter. This can be exploited by a local attacker who supplies a crafted filename within a directory visited by the victim.

Do I need to act?

-
0.08% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.6/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Affected Vendors

Control-Webpanel

References (4)

Exploit http://packetstormsecurity.com/files/154990/CWP-0.9.8.885-Cross-Site-Scripting.h...
Release Notes https://centos-webpanel.com/changelog-cwp7
Exploit http://packetstormsecurity.com/files/154990/CWP-0.9.8.885-Cross-Site-Scripting.h...
Release Notes https://centos-webpanel.com/changelog-cwp7
21
/ 100
low-risk
Severity 16/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal