Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2014-125123
PUBLISHED
More InfoOfficial Page
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
View Known Exploited Vulnerability (KEV) details
Published At-31 Jul, 2025 | 14:57
Updated At-31 Jul, 2025 | 18:48
Rejected At-
▼CVE Numbering Authority (CNA)
Kloxo < 6.1.12 Unauthenticated SQL Injection RCE

An unauthenticated SQL injection vulnerability exists in the Kloxo web hosting control panel (developed by LXCenter) prior to version 6.1.12. The flaw resides in the login-name parameter passed to lbin/webcommand.php, which fails to properly sanitize input, allowing an attacker to extract the administrator’s password from the backend database. After recovering valid credentials, the attacker can authenticate to the Kloxo control panel and leverage the Command Center feature (display.php) to execute arbitrary operating system commands as root on the underlying host system. This vulnerability was reported to be exploited in the wild in January 2014.

Affected Products
Vendor
LXCenter
Product
Kloxo
Modules
  • lbin/webcommand.php
  • display.php
Default Status
unaffected
Versions
Affected
  • From * before 6.1.12 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-89CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
4.010.0CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Version: 4.0
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-66CAPEC-66 SQL Injection
CAPEC ID: CAPEC-66
Description: CAPEC-66 SQL Injection
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://web.archive.org/web/20140301125222/http://www.webhostingtalk.com/showthread.php?p=8996984
N/A
https://web.archive.org/web/20141118054734/https://vpsboard.com/topic/3384-kloxo-installations-compromised/
N/A
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/kloxo_sqli.rb
exploit
https://github.com/lxcenter/kloxo
product
https://www.exploit-db.com/exploits/31577
exploit
https://www.vulncheck.com/advisories/kloxo-unauth-sqli-rce
third-party-advisory
Hyperlink: https://web.archive.org/web/20140301125222/http://www.webhostingtalk.com/showthread.php?p=8996984
Resource: N/A
Hyperlink: https://web.archive.org/web/20141118054734/https://vpsboard.com/topic/3384-kloxo-installations-compromised/
Resource: N/A
Hyperlink: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/kloxo_sqli.rb
Resource:
exploit
Hyperlink: https://github.com/lxcenter/kloxo
Resource:
product
Hyperlink: https://www.exploit-db.com/exploits/31577
Resource:
exploit
Hyperlink: https://www.vulncheck.com/advisories/kloxo-unauth-sqli-rce
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found