CVE-2024-51567

Name of the Vulnerable Software and Affected Versions: CyberPanel versions through 2.3.6 and (unpatched) 2.3.7

Description: The issue is related to the upgrademysqlstatus function in CyberPanel, which has inadequate authentication procedures. This allows a remote attacker to bypass authentication and execute arbitrary commands via the /dataBases/upgrademysqlstatus endpoint by using shell metacharacters in the statusfile property. The vulnerability has been exploited in the wild in October 2024 by PSAUX.

Recommendations: For versions through 2.3.6 and (unpatched) 2.3.7, consider disabling the upgrademysqlstatus function in databases/views.py to prevent exploitation until a patch is available. Restrict access to the /dataBases/upgrademysqlstatus endpoint to minimize the risk of exploitation. Avoid using the statusfile property in the affected endpoint until the issue is resolved.