CVE-2024-34352

2024-05-1415:38:43

CWE-77

[email protected]

web.nvd.nist.gov

panel

open source

linux server

command injections

arbitrary file writes

rces

v1.10.3-lts

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

Percentile

9.0%

JSON

1Panel is an open source Linux server operation and maintenance management panel. Prior to v1.10.3-lts, there are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The mirror configuration write symbol > can be used to achieve arbitrary file writing. This vulnerability is fixed in v1.10.3-lts.