CyberPanel v2.3.5 Security Update: Auth Bypass, LFI, Command Injection Fixes

From this webpage screenshot, the following key vulnerability information can be obtained: 1. WebTerminal Authentication Bypass: - Affected Versions: 1.9.2 and 2.1.1 - Scope: WebTerminal Authentication Bypass - Resolution: Fully removed from version 2.1.1 onwards. 2. Authentication Bypass and Local File Inclusion (LFI) in CloudAPI: - Scope: CloudAPI - Resolution: Fixed; API access must be explicitly enabled for external access, otherwise it is disabled by default. 3. Authentication Bypass in File Manager's Upload Functionality: - Scope: File Manager's upload functionality - Resolution: Fixed; security vulnerability caused by human error. 4. Security Middleware Bypass and Bypass of Security Controls in commandInjectionCheck(): - Scope: Security Middleware - Resolution: Fixed; comprehensive security checks covering most command injection scenarios have been implemented, and functions that bypassed checks have been adjusted to run only when triggered by root or external sources. 5. Insecure Generation and Storage of API Tokens: - Scope: API token generation and storage - Resolution: Strengthened to ensure a more secure process. 6. Broken Authentication and Local File Inclusion (LFI) in /api/FetchRemoteTransferStatus endpoint: - Scope: /api/FetchRemoteTransferStatus endpoint - Resolution: Fixed; the endpoint now has proper authentication, but specific commands were running before authentication was completed. This issue was resolved in version 2.3.5. This information indicates that CyberPanel v2.3.5 addressed multiple known vulnerabilities through a series of security improvements, including WebTerminal authentication bypass, LFI in CloudAPI, security flaws in the File Manager’s upload functionality, bypasses in Security Middleware and security controls, insecure API token generation and storage, and LFI in the /api/FetchRemoteTransferStatus endpoint.

Goal Reached Thanks to every supporter — we hit 100%!

CyberPanel v2.3.5 Security Update: Auth Bypass, LFI, Command Injection Fixes