July 2024 - Exodus Intelligence

Softaculous Webuzo Authentication Bypass

July 25, 2024 by Exodus Advisories

EIP-ce40b086

Softaculous Webuzo contains an authentication bypass vulnerability through the password reset functionality. Remote, anonymous attackers can exploit this vulnerability to gain full server access as the root user.

Vulnerability Identifier

Exodus Intelligence: EIP-ce40b086
MITRE: CVE-2024-24621

Vulnerability Metrics

CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSSv2 Score: 10.0

Vendor References

https://webuzo.com/blog/webuzo-4-2-9-launched/

Discovery Credit

Exodus Intelligence

Disclosure Timeline

Disclosed to vendor: July 11, 2024
Patched by vendor: July 12, 2024
Disclosed to public: July 25, 2024

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com

Softaculous Webuzo FTP Management Command Injection

July 25, 2024July 25, 2024 by Exodus Advisories

EIP-4ab5e9b4

Softaculous Webuzo contains a command injection vulnerability in the FTP management functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system.

Vulnerability Identifier

Exodus Intelligence: EIP-4ab5e9b4
MITRE: CVE-2024-24623

Vulnerability Metrics

CVSSv2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv2 Score: 9.0

Vendor References

https://webuzo.com/blog/webuzo-4-2-9-launched/

Discovery Credit

Exodus Intelligence

Disclosure Timeline

Disclosed to vendor: July 11, 2024
Patched by vendor: July 12, 2024
Disclosed to public: July 25, 2024

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com

Softaculous Webuzo Password Reset Command Injection

July 25, 2024July 25, 2024 by Exodus Advisories

EIP-92dd8e27

Softaculous Webuzo contains a command injection in the password reset functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system.

Vulnerability Identifier

Exodus Intelligence: EIP-92dd8e27
MITRE: CVE-2024-24622

Vulnerability Metrics

CVSSv2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSSv2 Score: 9.0

Vendor References

https://webuzo.com/blog/webuzo-4-2-9-launched/

Discovery Credit

Exodus Intelligence

Disclosure Timeline

Disclosed to vendor: July 11, 2024
Patched by vendor: July 12, 2024
Disclosed to public: July 25, 2024

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com

Softaculous Webuzo Authentication Bypass

EIP-ce40b086

Vulnerability Metrics

Vendor References

Discovery Credit

Disclosure Timeline

Further Information

Softaculous Webuzo FTP Management Command Injection

EIP-4ab5e9b4

Vulnerability Metrics

Vendor References

Discovery Credit

Disclosure Timeline

Further Information

Softaculous Webuzo Password Reset Command Injection

EIP-92dd8e27

Vulnerability Metrics

Vendor References

Discovery Credit

Disclosure Timeline

Further Information

Intelligence

Support

Company