CVE-2024-51378

getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
Configurations

Configuration 1 (hide)

cpe:2.3:a:cyberpanel:cyberpanel:*:*:*:*:*:*:*:*

History

06 Dec 2024, 18:17

Type Values Removed Values Added
CWE CWE-78
References () https://cwe.mitre.org/data/definitions/420.html - () https://cwe.mitre.org/data/definitions/420.html - Technical Description
References () https://cwe.mitre.org/data/definitions/78.html - () https://cwe.mitre.org/data/definitions/78.html - Technical Description
References () https://cyberpanel.net/KnowledgeBase/home/change-logs/ - () https://cyberpanel.net/KnowledgeBase/home/change-logs/ - Release Notes
References () https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel - () https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel - Product
References () https://github.com/usmannasir/cyberpanel/commit/1c0c6cbcf71abe573da0b5fddfb9603e7477f683 - () https://github.com/usmannasir/cyberpanel/commit/1c0c6cbcf71abe573da0b5fddfb9603e7477f683 - Patch
References () https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/ - () https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/ - Exploit
References () https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/ - () https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/ - Exploit, Press/Media Coverage
First Time Cyberpanel
Cyberpanel cyberpanel
CPE cpe:2.3:a:cyberpanel:cyberpanel:*:*:*:*:*:*:*:*

30 Oct 2024, 15:35

Type Values Removed Values Added
CWE CWE-276
Summary
  • (es) getresetstatus en dns/views.py y ftp/views.py en CyberPanel (también conocido como Cyber Panel) anterior a 1c0c6cb permite a atacantes remotos omitir la autenticación y ejecutar comandos arbitrarios a través de /dns/getresetstatus o /ftp/getresetstatus omitiendo secMiddleware (que es solo para una solicitud POST) y utilizando metacaracteres de shell en la propiedad statusfile, como lo explotó PSAUX en octubre de 2024. Las versiones hasta 2.3.6 y 2.3.7 (sin parchear) se ven afectadas.

30 Oct 2024, 00:15

Type Values Removed Values Added
Summary (en) getresetstatus in dns/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected. (en) getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.

29 Oct 2024, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-29 23:15

Updated : 2024-12-06 18:17


NVD link : CVE-2024-51378

Mitre link : CVE-2024-51378

CVE.ORG link : CVE-2024-51378


JSON object : View

Products Affected

cyberpanel

  • cyberpanel
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-276

Incorrect Default Permissions