This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: CyberPanel < 2.3.8 suffers from **OS Command Injection** via the `phpSelection` field in `/websites/submitWebsiteCreation`.β¦
π‘οΈ **Root Cause**: **Shell Metacharacter Injection**. The `phpSelection` input is not sanitized before being passed to the OS command execution function in `websiteFunctions/views.py`.β¦
π¦ **Affected**: **CyberPanel** versions **< 2.3.8**. π§ͺ **Tested On**: Version 2.3.7. π **Component**: The `submitWebsiteCreation` endpoint handling website creation.
Q4What can hackers do? (Privileges/Data)
π **Capabilities**: **Remote Code Execution (RCE)**. π **Impact**: Hackers gain the privileges of the web server process. They can read/modify data, install backdoors, or pivot to other internal systems.β¦
π **Threshold**: **Medium**. π« **Requirement**: **Authentication Required**. The attacker must **first login** to the CyberPanel web interface.β¦
π **Self-Check**: 1. Check CyberPanel version (must be < 2.3.8). 2. Verify if `/websites/submitWebsiteCreation` is accessible. 3. Use the provided PoC script to test if you have valid credentials.β¦
β‘ **Urgency**: **HIGH**. π **Priority**: Critical for anyone running CyberPanel < 2.3.8. Even though auth is needed, leaked credentials are common. RCE risk is severe.β¦