CyberPanel upgrademysqlstatus authentication bypass and command injection

Added: 11/07/2024

Background

CyberPanel is a web hosting control panel.

Problem

A pair of vulnerabilities in the upgrademysqlstatus web resource could allow a remote attacker to bypass authentication using a PUT request and execute arbitrary commands with a specially crafted statusfile parameter.

Resolution

Upgrade to the latest version of CyberPanel.

References

https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel

Platforms

Linux

Back to exploit index