🚨 Several vulnerabilities in user interface before v0.3.5

stefan · Nov 7, 2024

Today (Nov 7, 2024) we received our first vulnerability report affecting OpenPanel UI pages for FileManager, FixPermissions, and TimeZone. The issue involves path traversal and insufficient validation on these pages, which allows an authenticated OpenPanel user to access files within their own container as well as the OpenPanel UI container.

Please note that files from other users or the OS cannot be accessed with this.

Nov 7, 2024, 4:15 PM - received report via email
Nov 7, 2024, 6:00 PM - reproduced the issues
Nov 7, 2024, 6:45 PM - created a patch
Nov 7, 2024, 7:40 PM - pushed to testing
Nov 7, 2024, 8:12 PM - disclosed information on forums and discord
Nov 8, 2024, 3:14 PM - released an update that fixes these vulnerabilities
Dev 5, 2024, 3:54 PM - received reserved cve number: CVE-2024-53537

An update notification will be sent tomorrow to all servers, and the patch will be automatically installed on servers with the autopatch option enabled.

MMixDelo · Nov 8, 2024

@stefan not enough time to do any proper tests. consider postponing the update until monday?

PS. We are working on getting CVE IDs
if anyone has experience with those, please message me

stefan · Nov 8, 2024

MixDelo 0.3.5 - Released on November 08, 2024

stefan · Dec 5, 2024

We finaly received a cve number for the vulnerabilities in OpenPanel <0.3.5: CVE-2024-53537

If anyone has a CNA for publishing the cve - please share

stefan · 12 Feb

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53584