CVE-2021-37840

Name of the Vulnerable Software and Affected Versions: aaPanel versions 6.8.12 and earlier

Description: The issue involves Cross-Site WebSocket Hijacking (CSWH) where an attacker can execute OS commands within WebSocket messages at a ws:// URL for /webssh. This can happen if the victim has configured Terminal with at least one host. The success of the exploitation depends on the browser used by the potential victim, with examples including successful exploitation with Firefox but not Chrome.

Recommendations: For versions 6.8.12 and earlier, consider disabling the /webssh feature until a patch is available to prevent potential Cross-Site WebSocket Hijacking (CSWH) attacks. Restrict access to the Terminal configuration to minimize the risk of exploitation. Avoid using browsers that are susceptible to this type of attack, such as Firefox, when accessing the vulnerable aaPanel versions.