Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
81 lines (52 sloc) 1.61 KB


Product             : CWP Control Web Panel
Vulnerability Name  : User panel bypass Login
version             :
Fixed on            :
Test on             : CentOS 7.6.1810 (Core)
Reference           :
CVE-Number          : CVE-2019-13360


By leveraging knowledge of a valid username, remoted attackers can bypass login process and become the target user


  1. Login as valid username and invalid password

  1. Intercept the request

  1. Release the request and intercept the response

  1. Prepare bypassing string
Bypassing format : <username>||/<username>/theme/original
Bypassing string : user1||/user1/theme/original<br>
Base64 encoding  : dXNlcjF8fC91c2VyMS90aGVtZS9vcmlnaW5hbA==

  1. Replace the result to the response body

  1. Become the target user


2019-06-29: Discovered the bug
2019-06-29: Reported to vendor
2019-06-29: Vender accepted the vulnerability
2019-07-11: The vulnerability has been fixed
2019-07-15: Advisory published

Discovered by

Pongtorn Angsuchotmetee
You can’t perform that action at this time.