vulnerability uncovered in aapanel hosting control panel

aaPanel is a free and Open source Hosting Control Panel for RHEL and Debian based systems. It is the Internationalized version for the BAOTA panel(www.bt.cn), developed in China. It allows users to manage their web server through a web-based GUI (Graphical User Interface).

Features

  • Nginx or Apache
  • Multiple PHP version 5.4 to 7.3
  • DNS Managemennt
  • Mail server
  • Mysql, MariaDB or MongoDB
  • PureFTP
  • Memcached
  • Redis
  • Amazon S3 and Google Cloud Storage

Vulnerability

A vulnerability with a CVE score of 8.8, titled CVE-2020-14950 was uncovered. It targets all aaPanel versions through version 6.6.6. This vulnerability allows for remote authenticated users to execute arbitrary commands via shell metacharacters in a modified /system?action=ServiceAdmin request (start, stop, or restart) to the setting menu of the Software Store.

Mitigation

It is recommended that users upgrade to the latest version (currently 6.6.9) immediately.

 

For more information about the currently available web hosting control panels please refer to this article.

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW

Related Posts

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
close-link
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.