Skip to content
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

76 lines (48 sloc) 1.58 KB


Product             : CWP Control Web Panel
Vulnerability Name  : User enumeration on user panel
version             :
Fixed on            :
Test on             : CentOS 7.6.1810 (Core)
Reference           :
CVE-Number          : CVE-2019-13383


The vulnerability allows remote attacker to check whether a username is valid by reading the HTTP response


The target server has user "user1"
  1. Login with invalid username and password

  1. Intercept the request

  1. From the request, if the user dose not exist, the server responses "suspended"

  1. if the user dose exist, the server responses "failed" or nothing (depends on version)

  1. Try brute-forcing username against the server


2019-07-06: Discovered the bug
2019-07-06: Reported to vendor
2019-07-06: Vender accepted the vulnerability
2019-07-11: The vulnerability has been fixed
2019-07-15: Advisory published

Discovered by

Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
You can’t perform that action at this time.