Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2013-10053
PUBLISHED
More InfoOfficial Page
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
View Known Exploited Vulnerability (KEV) details
Published At-01 Aug, 2025 | 20:49
Updated At-04 Aug, 2025 | 16:05
Rejected At-
▼CVE Numbering Authority (CNA)
ZPanel <= 10.0.0.2 htpasswd Module Username Command Execution

A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is passed unsanitized to a system() call that invokes the system’s htpasswd binary. By injecting shell metacharacters into the username field, an authenticated attacker can execute arbitrary system commands. Exploitation requires a valid ZPanel account—such as one in the default Users, Resellers, or Administrators groups—but no elevated privileges.

Affected Products
Vendor
ZPanel Project
Product
ZPanel
Modules
  • htpasswd module
Default Status
unaffected
Versions
Affected
  • From * through 10.0.0.2 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-78CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-88CAPEC-88 OS Command Injection
Solutions
Configurations
Workarounds
Exploits
Credits
finder
shachibista
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/zpanel_username_exec.rb
exploit
https://web.archive.org/web/20130617014355/http://forums.zpanelcp.com/showthread.php?27898-Serious-Remote-Execution-Exploit-in-Zpanel-10-0-0-2
N/A
https://github.com/zpanel/zpanelx
product
https://www.vulncheck.com/advisories/zpanel-htpasswd-module-username-command-execution
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://web.archive.org/web/20130617014355/http://forums.zpanelcp.com/showthread.php?27898-Serious-Remote-Execution-Exploit-in-Zpanel-10-0-0-2
exploit
Details not found