vulnerability
CyberPersons CyberPanel: CVE-2024-51378: Improper Neutralization of Special Elements used in an OS Command
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Oct 29, 2024 | Apr 30, 2025 | May 1, 2025 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
Oct 29, 2024
Added
Apr 30, 2025
Modified
May 1, 2025
Description
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
Solution
cyberpersons-cyberpanel-upgrade-latest
References
- CVE-2024-51378
- https://attackerkb.com/topics/CVE-2024-51378
- URL-https://cwe.mitre.org/data/definitions/78.html
- URL-https://github.com/usmannasir/cyberpanel/commit/1c0c6cbcf71abe573da0b5fddfb9603e7477f683
- URL-https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/
- URL-https://cyberpanel.net/KnowledgeBase/home/change-logs/
- URL-https://cwe.mitre.org/data/definitions/420.html
- URL-https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel
- URL-https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.