A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is passed unsanitized to a system() call that invokes the system’s htpasswd binary. By injecting shell metacharacters into the username field, an authenticated attacker can execute arbitrary system commands. Exploitation requires a valid ZPanel account—such as one in the default Users, Resellers, or Administrators groups—but no elevated privileges.
                
            Metrics
Affected Vendors & Products
References
        History
                    Mon, 04 Aug 2025 16:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
Mon, 04 Aug 2025 09:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Zpanel Project Zpanel Project zpanel | |
| Vendors & Products | Zpanel Project Zpanel Project zpanel | 
Fri, 01 Aug 2025 21:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is passed unsanitized to a system() call that invokes the system’s htpasswd binary. By injecting shell metacharacters into the username field, an authenticated attacker can execute arbitrary system commands. Exploitation requires a valid ZPanel account—such as one in the default Users, Resellers, or Administrators groups—but no elevated privileges. | |
| Title | ZPanel <= 10.0.0.2 htpasswd Module Username Command Execution | |
| Weaknesses | CWE-78 | |
| References |  | 
 | 
| Metrics | cvssV4_0 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: VulnCheck
Published: 2025-08-01T20:49:05.360Z
Updated: 2025-08-04T16:05:30.420Z
Reserved: 2025-08-01T15:30:06.448Z
Link: CVE-2013-10053
 Vulnrichment
                        Vulnrichment
                    Updated: 2025-08-04T16:04:40.759Z
 NVD
                        NVD
                    Status : Awaiting Analysis
Published: 2025-08-01T21:15:27.290
Modified: 2025-08-04T16:15:31.957
Link: CVE-2013-10053
 Redhat
                        Redhat
                    No data.