Vulnerability Details CVE-2024-51567
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.943
EPSS Ranking 99.9%
CVSS Severity
CVSS v3 Score 10.0
Proposed Action
CyberPanel contains an incorrect default permissions vulnerability that allows a remote, unauthenticated attacker to execute commands as root.
Ransomware Campaign
Unknown
References
- https://cwe.mitre.org/data/definitions/420.html
- https://cwe.mitre.org/data/definitions/78.html
- https://cyberpanel.net/KnowledgeBase/home/change-logs/
- https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel
- https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
- https://github.com/usmannasir/cyberpanel/commit/5b08cd6d53f4dbc2107ad9f555122ce8b0996515
- https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/
Products affected by CVE-2024-51567
-
cpe:2.3:a:cyberpanel:cyberpanel:-
-
cpe:2.3:a:cyberpanel:cyberpanel:1.7.1
-
cpe:2.3:a:cyberpanel:cyberpanel:1.7.2
-
cpe:2.3:a:cyberpanel:cyberpanel:1.7.3
-
cpe:2.3:a:cyberpanel:cyberpanel:1.7.4
-
cpe:2.3:a:cyberpanel:cyberpanel:1.7.5
-
cpe:2.3:a:cyberpanel:cyberpanel:1.7.6
-
cpe:2.3:a:cyberpanel:cyberpanel:1.7.7
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.1
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.2
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.3
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.4
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.5
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.7
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.8
-
cpe:2.3:a:cyberpanel:cyberpanel:1.8.9
-
cpe:2.3:a:cyberpanel:cyberpanel:1.9.0
-
cpe:2.3:a:cyberpanel:cyberpanel:1.9.1
-
cpe:2.3:a:cyberpanel:cyberpanel:1.9.2
-
cpe:2.3:a:cyberpanel:cyberpanel:1.9.3
-
cpe:2.3:a:cyberpanel:cyberpanel:1.9.4
-
cpe:2.3:a:cyberpanel:cyberpanel:2.0.0
-
cpe:2.3:a:cyberpanel:cyberpanel:2.0.1
-
cpe:2.3:a:cyberpanel:cyberpanel:2.0.2
-
cpe:2.3:a:cyberpanel:cyberpanel:2.0.3
-
cpe:2.3:a:cyberpanel:cyberpanel:2.1.1
-
cpe:2.3:a:cyberpanel:cyberpanel:2.1.2
-
cpe:2.3:a:cyberpanel:cyberpanel:2.3.4
-
cpe:2.3:a:cyberpanel:cyberpanel:2.3.5
-
cpe:2.3:a:cyberpanel:cyberpanel:2.3.6
-
cpe:2.3:a:cyberpanel:cyberpanel:2.3.7