CVE-2024-51568

Name of the Vulnerable Software and Affected Versions CyberPanel versions prior to 2.3.5

Description The issue allows for command injection through the completePath in the ProcessUtilities.outputExecutioner() function, enabling unauthenticated remote code execution via shell metacharacters at the "/filemanager/upload" endpoint, also known as File Manager upload.

Recommendations For versions prior to 2.3.5, update to version 2.3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/filemanager/upload" endpoint until a patch is applied. Avoid using the completePath variable in the ProcessUtilities.outputExecutioner() function until the issue is resolved.