CVE-2019-15235

MEDIUM Year: 2019
CVSS v3 Score
6.5
Medium
CVSS v2 Score
4.0
Medium
Weakness Type
CWE-532
View all →

Vulnerability Description

CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.864 allows an attacker to get a victim's session file name from /home/[USERNAME]/tmp/session/sess_xxxxxx, and the victim's token value from /usr/local/cwpsrv/logs/access_log, then use them to gain access to the victim's password (for the OS and phpMyAdmin) via an attacker account. This is different from CVE-2019-14782.

Related Vulnerabilities

CVE-2016-10362

MEDIUM
CVSS:6.5(Medium)

Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials.

CWE-5322016

CVE-2016-10819

MEDIUM
CVSS:6.5(Medium)

In cPanel before 57.9999.54, user log files become world-readable when rotated by cpanellogd (SEC-125).

CWE-5322016

CVE-2017-11134

MEDIUM
CVSS:6.5(Medium)

An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android. The login credentials are written into a log file on the device. Hence, an attacker with access to the logs can read them.

CWE-5322017

CVE-2017-3744

MEDIUM
CVSS:6.5(Medium)

In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated ...

CWE-5322017

CVE-2018-0504

MEDIUM
CVSS:6.5(Medium)

Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid

CWE-5322018

CVE-2018-19014

MEDIUM
CVSS:6.5(Medium)

Drager Infinity Delta, Infinity Delta, all versions, Delta XL, all versions, Kappa, all version, and Infinity Explorer C700, all versions. Log files are accessible over an unauthenticated network conn...

CWE-5322018