A critical remote code execution vulnerability has been identified in ZPanel that allows hackers to reset the root password and gain access to the server.
According to the forum post, the latest stable version 10.0.2 is also affected by this security flaw. The user has also provided the steps to reproduce the vulnerability.
The security flaw exists in the ZPX HTPASSWD module because the module fails to sanitize the user input. The flaw allows anyone with access to the page including admins, resellers, clients to inject arbitrary shell commands into the server.
The vulnerability has been confirmed by ZPanel Head Developer & Project Leader ,Bobby Allen. ZPanel Users are advised to disable the HTPASSWD module.
The team is currently testing the patched file which was committed to GitHub. They are promised to issue a manual patch once the test is completed.