10
CVE-2024-51378
- EPSS 93.85%
- Veröffentlicht 29.10.2024 23:15:04
- Zuletzt bearbeitet 07.11.2025 19:02:54
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Logingetresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cyberpanel ≫ Cyberpanel Version < 2.3.8
04.12.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog
CyberPanel Incorrect Default Permissions Vulnerability
SchwachstelleCyberPanel contains an incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property.
BeschreibungApply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 93.85% | 0.999 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| cve@mitre.org | 10 | 3.9 | 6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.