CVE-2013-10053

A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is passed unsanitized to a system() call that invokes the system’s htpasswd binary. By injecting shell metacharacters into the username field, an authenticated attacker can execute arbitrary system commands. Exploitation requires a valid ZPanel account—such as one in the default Users, Resellers, or Administrators groups—but no elevated privileges.

CVSS

No CVSS.

References

Link	Resource
https://github.com/zpanel/zpanelx
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/zpanel_username_exec.rb
https://web.archive.org/web/20130617014355/http://forums.zpanelcp.com/showthread.php?27898-Serious-Remote-Execution-Exploit-in-Zpanel-10-0-0-2
https://web.archive.org/web/20130617014355/http://forums.zpanelcp.com/showthread.php?27898-Serious-Remote-Execution-Exploit-in-Zpanel-10-0-0-2
https://www.vulncheck.com/advisories/zpanel-htpasswd-module-username-command-execution

Configurations

No configuration.

History

01 Aug 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-01 21:15

Updated : 2025-08-04 16:15

NVD link : CVE-2013-10053

Mitre link : CVE-2013-10053

JSON object : View

Products Affected

No product.

CWE

No CWE.

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/zpanel/zpanelx", "name": "https://github.com/zpanel/zpanelx", "tags": [], "refsource": ""}, {"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/zpanel_username_exec.rb", "name": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/zpanel_username_exec.rb", "tags": [], "refsource": ""}, {"url": "https://web.archive.org/web/20130617014355/http://forums.zpanelcp.com/showthread.php?27898-Serious-Remote-Execution-Exploit-in-Zpanel-10-0-0-2", "name": "https://web.archive.org/web/20130617014355/http://forums.zpanelcp.com/showthread.php?27898-Serious-Remote-Execution-Exploit-in-Zpanel-10-0-0-2", "tags": [], "refsource": ""}, {"url": "https://web.archive.org/web/20130617014355/http://forums.zpanelcp.com/showthread.php?27898-Serious-Remote-Execution-Exploit-in-Zpanel-10-0-0-2", "name": "https://web.archive.org/web/20130617014355/http://forums.zpanelcp.com/showthread.php?27898-Serious-Remote-Execution-Exploit-in-Zpanel-10-0-0-2", "tags": [], "refsource": ""}, {"url": "https://www.vulncheck.com/advisories/zpanel-htpasswd-module-username-command-execution", "name": "https://www.vulncheck.com/advisories/zpanel-htpasswd-module-username-command-execution", "tags": [], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is passed unsanitized to a system() call that invokes the system\u2019s htpasswd binary. By injecting shell metacharacters into the username field, an authenticated attacker can execute arbitrary system commands. Exploitation requires a valid ZPanel account\u2014such as one in the default Users, Resellers, or Administrators groups\u2014but no elevated privileges."}]}, "problemtype": {"problemtype_data": [{"description": []}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-10053", "ASSIGNER": "disclosure@vulncheck.com"}}, "impact": {}, "publishedDate": "2025-08-01T21:15Z", "configurations": {"nodes": [], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-08-04T16:15Z"}