CVE-2024-51567

Warnung

Medienbericht

Exploit

EPSS 86.73%
Veröffentlicht 29.10.2024 23:15:04
Zuletzt bearbeitet 07.11.2025 19:02:50
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 11

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cyberpanel ≫ Cyberpanel Version < 2.3.8

07.11.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

CyberPanel Incorrect Default Permissions Vulnerability

Schwachstelle

CyberPanel contains an incorrect default permissions vulnerability that allows a remote, unauthenticated attacker to execute commands as root.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	86.73%	0.997

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cve@mitre.org	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://cwe.mitre.org/data/definitions/78.html

Technical Description

https://cwe.mitre.org/data/definitions/420.html

Technical Description

https://cyberpanel.net/KnowledgeBase/home/change-logs/

Release Notes

https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel

Product

https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/

Press/Media Coverage

https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce

Patch

Exploit

https://github.com/usmannasir/cyberpanel/commit/5b08cd6d53f4dbc2107ad9f555122ce8b0996515

Patch

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-51567

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2024-51567

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-51567

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-51567

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-51567

07.11.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog