CVE-2019-18418
published 2019-10-24CVE-2019-18418: clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management.
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.00%
89.3th percentile
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| clonos | clonos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST mode=usersEdit&path=/users/&hash=&db_path=&form_data[username]=<user>&form_data[password]=<pass>&form_data[password1]=<pass>&form_data[actuser]=on&form_data[user_id]=<id>↗
- →Detect unauthenticated POST requests to /json.php with the parameter mode=getJsonPage and path=/users/ — this is the user enumeration phase of the exploit, requiring no valid session. ↗
- →Detect unauthenticated POST requests containing mode=usersEdit and form_data[password] to the ClonOS web panel — this is the password-change exploitation step with no session validation. ↗
- →Flag HTTP requests to ClonOS endpoints carrying the custom header X-Requested-With: XMLHttpRequest without a corresponding authenticated session cookie — the exploit relies entirely on this header with no session management enforced server-side. ↗
- →Monitor for password change requests to clonos.php that succeed without a prior authenticated session — the vulnerability is the complete absence of session management on this endpoint. ↗
- ·The exploit targets ClonOS WEB control panel version 19.09 specifically; other versions are not confirmed vulnerable. ↗
- ·The hash and db_path POST parameters are sent as empty strings in the exploit, suggesting the server does not validate or require them — detections should not rely on these fields being populated. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/154986/ClonOs-WEB-UI-19.09-Improper-Access-Control.htmlhttps://github.com/Andhrimnirr/ClonOS-WEB-control-panel-multi-vulnerabilityhttp://packetstormsecurity.com/files/154986/ClonOs-WEB-UI-19.09-Improper-Access-Control.htmlhttps://github.com/Andhrimnirr/ClonOS-WEB-control-panel-multi-vulnerability
2019-10-24
Published