cbcvebase.
CVE-2019-18418
published 2019-10-24

CVE-2019-18418: clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management.

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.00%
89.3th percentile
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management.

Affected

1 ranges
VendorProductVersion rangeFixed in
clonosclonos

Detection & IOCsextracted from sources · hover to see the quote

path/clonos.php
path/json.php
commandPOST /json.php mode=getJsonPage&path=/users/&hash=&db_path=
commandPOST mode=usersEdit&path=/users/&hash=&db_path=&form_data[username]=<user>&form_data[password]=<pass>&form_data[password1]=<pass>&form_data[actuser]=on&form_data[user_id]=<id>
  • Detect unauthenticated POST requests to /json.php with the parameter mode=getJsonPage and path=/users/ — this is the user enumeration phase of the exploit, requiring no valid session.
  • Detect unauthenticated POST requests containing mode=usersEdit and form_data[password] to the ClonOS web panel — this is the password-change exploitation step with no session validation.
  • Flag HTTP requests to ClonOS endpoints carrying the custom header X-Requested-With: XMLHttpRequest without a corresponding authenticated session cookie — the exploit relies entirely on this header with no session management enforced server-side.
  • Monitor for password change requests to clonos.php that succeed without a prior authenticated session — the vulnerability is the complete absence of session management on this endpoint.
  • ·The exploit targets ClonOS WEB control panel version 19.09 specifically; other versions are not confirmed vulnerable.
  • ·The hash and db_path POST parameters are sent as empty strings in the exploit, suggesting the server does not validate or require them — detections should not rely on these fields being populated.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.