CVE-2013-10053 Information

Aug 02, 2025 cve

Description

A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files the inHTUsername field is passed unsanitized to a system() call that invokes the system’s htpasswd binary. By injecting shell metacharacters into the username field an authenticated attacker can execute arbitrary system commands. Exploitation requires a valid ZPanel account—such as one in the default Users Resellers or Administrators groups—but no elevated privileges.

Reference

https://github.com/zpanel/zpanelx https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/zpanel_username_exec.rb https://web.archive.org/web/20130617014355/http://forums.zpanelcp.com/showthread.php?27898-Serious-Remote-Execution-Exploit-in-Zpanel-10-0-0-2 https://www.vulncheck.com/advisories/zpanel-htpasswd-module-username-command-execution

CNNVD-202508-099 (Published: 2025-08-01)

Share on:

CVE-2013-10053 Information

Description

Reference

Related CNNVD