Ispconfig
Products
1- 12 CVEs
Recent CVEs
12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-17384 | Hig | 0.57 | 8.8 | 0.01 | Dec 7, 2017 | ISPConfig 3.x before 3.1.9 allows remote authenticated users to obtain root access by creating a crafted cron job. | ||
| CVE-2018-17984 | Hig | 0.51 | 7.8 | 0.03 | Oct 4, 2018 | An unanchored /[a-z]{2}/ regular expression in ISPConfig before 3.1.13 makes it possible to include arbitrary files, leading to code execution. This is exploitable by authenticated users who have local filesystem access. | ||
| CVE-2025-52206 | Med | 0.31 | 4.7 | 0.00 | May 5, 2026 | ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS) via the system status webpage. | ||
| CVE-2023-46818 | 0.10 | — | 0.14 | Oct 27, 2023 | An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled. | |||
| CVE-2013-3629 | 0.09 | — | 0.43 | Feb 7, 2020 | ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution | |||
| CVE-2015-4119 | 0.03 | — | 0.01 | Jun 15, 2015 | Multiple cross-site request forgery (CSRF) vulnerabilities in ISPConfig before 3.0.5.4p7 allow remote attackers to hijack the authentication of (1) administrators for requests that create an administrator account via a request to admin/users_edit.php or (2) arbitrary users for… | |||
| CVE-2015-4118 | 0.03 | — | 0.02 | Jun 15, 2015 | SQL injection vulnerability in monitor/show_sys_state.php in ISPConfig before 3.0.5.4p7 allows remote authenticated users with monitor permissions to execute arbitrary SQL commands via the server parameter. NOTE: this can be leveraged by remote attackers using CVE-2015-4119.2. | |||
| CVE-2006-3042 | 0.03 | — | 0.03 | Jun 15, 2006 | Multiple PHP remote file inclusion vulnerabilities in ISPConfig 2.2.3 allow remote attackers to execute arbitrary PHP code via a URL in the (1) go_info[isp][classes_root] parameter in (a) server.inc.php, and the (2) go_info[server][classes_root] parameter in (b) app.inc.php, (c)… | |||
| CVE-2006-2315 | 0.03 | — | 0.05 | May 12, 2006 | PHP remote file inclusion vulnerability in session.inc.php in ISPConfig 2.2.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the go_info[server][classes_root] parameter. NOTE: the vendor has disputed this vulnerability, saying that… | |||
| CVE-2021-3021 | 0.00 | — | 0.02 | Jan 5, 2021 | ISPConfig before 3.2.2 allows SQL injection. | |||
| CVE-2020-9398 | 0.00 | — | 0.01 | Feb 25, 2020 | ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection. | |||
| CVE-2012-2087 | 0.00 | — | 0.03 | Jan 23, 2020 | ISPConfig 3.0.4.3: the "Add new Webdav user" can chmod and chown entire server from client interface. |
- risk 0.57cvss 8.8epss 0.01
ISPConfig 3.x before 3.1.9 allows remote authenticated users to obtain root access by creating a crafted cron job.
- risk 0.51cvss 7.8epss 0.03
An unanchored /[a-z]{2}/ regular expression in ISPConfig before 3.1.13 makes it possible to include arbitrary files, leading to code execution. This is exploitable by authenticated users who have local filesystem access.
- risk 0.31cvss 4.7epss 0.00
ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS) via the system status webpage.
- CVE-2023-46818Oct 27, 2023risk 0.10cvss —epss 0.14
An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.
- CVE-2013-3629Feb 7, 2020risk 0.09cvss —epss 0.43
ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution
- CVE-2015-4119Jun 15, 2015risk 0.03cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in ISPConfig before 3.0.5.4p7 allow remote attackers to hijack the authentication of (1) administrators for requests that create an administrator account via a request to admin/users_edit.php or (2) arbitrary users for…
- CVE-2015-4118Jun 15, 2015risk 0.03cvss —epss 0.02
SQL injection vulnerability in monitor/show_sys_state.php in ISPConfig before 3.0.5.4p7 allows remote authenticated users with monitor permissions to execute arbitrary SQL commands via the server parameter. NOTE: this can be leveraged by remote attackers using CVE-2015-4119.2.
- CVE-2006-3042Jun 15, 2006risk 0.03cvss —epss 0.03
Multiple PHP remote file inclusion vulnerabilities in ISPConfig 2.2.3 allow remote attackers to execute arbitrary PHP code via a URL in the (1) go_info[isp][classes_root] parameter in (a) server.inc.php, and the (2) go_info[server][classes_root] parameter in (b) app.inc.php, (c)…
- CVE-2006-2315May 12, 2006risk 0.03cvss —epss 0.05
PHP remote file inclusion vulnerability in session.inc.php in ISPConfig 2.2.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the go_info[server][classes_root] parameter. NOTE: the vendor has disputed this vulnerability, saying that…
- CVE-2021-3021Jan 5, 2021risk 0.00cvss —epss 0.02
ISPConfig before 3.2.2 allows SQL injection.
- CVE-2020-9398Feb 25, 2020risk 0.00cvss —epss 0.01
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
- CVE-2012-2087Jan 23, 2020risk 0.00cvss —epss 0.03
ISPConfig 3.0.4.3: the "Add new Webdav user" can chmod and chown entire server from client interface.