Today (Nov 7, 2024) we received our first vulnerability report affecting OpenPanel UI pages for FileManager, FixPermissions, and TimeZone . The issue involves path traversal and insufficient validation on these pages, which allows an authenticated OpenPanel user to access files within their own container as well as the OpenPanel UI container. Please note that files from other users or the OS cannot be accessed with this . Nov 7, 2024, 4:15 PM - received report via email Nov 7, 2024, 6:00 PM - reproduced the issues Nov 7, 2024, 6:45 PM - created a patch Nov 7, 2024, 7:40 PM - pushed to testing Nov 7, 2024, 8:12 PM - disclosed information on forums and discord Nov 8, 2024, 3:14 PM - released an update that fixes these vulnerabilities Dev 5, 2024, 3:54 PM - received reserved cve number: CVE-2024-53537 An update notification will be sent tomorrow to all servers, and the patch will be automatically installed on servers with the autopatch option enabled.

🚨 Several vulnerabilities in user interface before v0.3.5

stefan

Today (Nov 7, 2024) we received our first vulnerability report affecting OpenPanel UI pages for FileManager, FixPermissions, and TimeZone. The issue involves path traversal and insufficient validation on these pages, which allows an authenticated OpenPanel user to access files within their own container as well as the OpenPanel UI container.

Please note that files from other users or the OS cannot be accessed with this.

Nov 7, 2024, 4:15 PM - received report via email
Nov 7, 2024, 6:00 PM - reproduced the issues
Nov 7, 2024, 6:45 PM - created a patch
Nov 7, 2024, 7:40 PM - pushed to testing
Nov 7, 2024, 8:12 PM - disclosed information on forums and discord
Nov 8, 2024, 3:14 PM - released an update that fixes these vulnerabilities
Dev 5, 2024, 3:54 PM - received reserved cve number: CVE-2024-53537

An update notification will be sent tomorrow to all servers, and the patch will be automatically installed on servers with the autopatch option enabled.

MixDelo

@stefan not enough time to do any proper tests. consider postponing the update until monday?

PS. We are working on getting CVE IDs
if anyone has experience with those, please message me

stefan

MixDelo 0.3.5 - Released on November 08, 2024

stefan

We finaly received a cve number for the vulnerabilities in OpenPanel <0.3.5: CVE-2024-53537

If anyone has a CNA for publishing the cve - please share