clonos.php in ClonOS WEB control panel 19.09 allows remote malicious users to gain full access via change password requests because there is no session management.
clonos clonos 19.09