CyberPanel Security Update Advisory
Overview
An update has been released to address vulnerabilities in CyberPanel. Users of the affected versions are advised to update to the latest version.
Affected Products
CVE-2024-51378, CVE-2024-51567
- CyberPanel versions: ~ 2.3.6 (inclusive)
- CyberPanel versions: Unpatched 2.3.7
CVE-2024-51568
- CyberPanel versions: ~ 2.3.5 (excluded)
Resolved Vulnerabilities
Security verification bypass in the getresetstatus function in dns/views.py and ftp/views.py allows remote attackers to execute arbitrary commands (CVE-2024-51378)
Vulnerability in databases/views.py bypassing security validation in the upgrademysqlstatus function, allowing remote attackers to execute arbitrary commands (CVE-2024-51567)
Command injection vulnerability in ProcessUtilities.outputExecutioner() via completePath in the file manager upload function (CVE-2024-51568)
Vulnerability Patches
Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2024-51378, CVE-2024-51567
- CyberPanel version: 2.3.7
CVE-2024-51568
- CyberPanel version: 2.3.5
Referenced Sites
[1] CVE-2024-51378 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-51378
[2] CVE-2024-51567 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-51567
[3] CVE-2024-51568 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-51568
[4] Details and fix of recent security issue and patch of CyberPanel
https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel
[5] Change Logs
https://cyberpanel.net/KnowledgeBase/home/change-logs/
[6] CyberPanel v2.3.5 and Security Release Announcement