Unauthorized Remote Code Execution via Shell Metacharacters in File Manager Upload

CVE-2024-51568

10CRITICAL

Key Information

Vendor: CyberPanel
Vendor: CVE Published:; 29 October 2024

Badges

📰 News Worthy

Summary

CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.

News Articles

TheCyberThrone

CVE-2024-51567 CVE-2024-51568

PSAUX Ransomware exploits CyberPanel Vulnerabilities

The PSAUX ransomware has seen exploiting CyberPanel vulnerabilities affects versions 2.3.6 and 2.3.7 and permits unauthenticated attackers to gain root access, enabling complete control over affected systems. The vulnerabilities are tracked as CVE-2024-51567, CVE-2024-51568, and CVE-2024-51378, each...

2 months ago

References

https://cwe.mitre.org/data/definitions/78.html

https://dreyand.rs/code/review/2024/10/27/what-are-my-opt...

https://cyberpanel.net/KnowledgeBase/home/change-logs/

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

📰
First article discovered by TheCyberThrone
Oct 30, 2024
Vulnerability published
Oct 29, 2024

Collectors

NVD DatabaseMitre Database1 News Article(s)