CVE-2024-51567

🗓️ 29 Oct 2024 00:00:00Reported by mitreType

cve

cve🔗 web.nvd.nist.gov📰️ 5 Media mentions👁 240 Views🌐 WEB

CyberPanel upgrademysqlstatus vulnerabilit

Reporter	Title	Published	Views	Family All 26
0day.today	CyberPanel upgrademysqlstatus Arbitrary Command Execution Exploit	7 Nov 202400:00	–	zdt
ATTACKERKB	CVE-2024-51567	29 Oct 202400:00	–	attackerkb
BDU FSTEC	The vulnerability of the upgrademysqlstatus() function in the CyberPanel web hosting control panel allows a hacker to escalate their privileges and execute arbitrary commands.	12 Dec 202400:00	–	bdu_fstec
GithubExploit	Exploit for Missing Authentication for Critical Function in Cyberpanel	31 Oct 202421:55	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Cyberpanel	26 Nov 202402:18	–	githubexploit
Circl	CVE-2024-51567	30 Oct 202400:49	–	circl
CISA KEV Catalog	CyberPanel Incorrect Default Permissions Vulnerability	7 Nov 202400:00	–	cisa_kev
CISA	CISA Adds Four Known Exploited Vulnerabilities to Catalog	7 Nov 202412:00	–	cisa
CNNVD	CyberPanel 安全漏洞	29 Oct 202400:00	–	cnnvd
Cvelist	CVE-2024-51567	29 Oct 202400:00	–	cvelist

NVD

Vulnrichment

Node

cyberpanel cyberpanelRange<2.3.8

Source	Link
cyberpanel	www.cyberpanel.net/KnowledgeBase/home/change-logs/
dreyand	www.dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
bleepingcomputer	www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/
github	www.github.com/usmannasir/cyberpanel/commit/5b08cd6d53f4dbc2107ad9f555122ce8b0996515
cwe	www.cwe.mitre.org/data/definitions/78.html
cwe	www.cwe.mitre.org/data/definitions/420.html
cyberpanel	www.cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel
cisa	www.cisa.gov/known-exploited-vulnerabilities-catalog

Parameter	Position	Path	Description	CWE
statusfile	request body	dataBases/upgrademysqlstatus	Pre-auth RCE via upgrade mysql status endpoint by injecting commands in statusfile, bypassing CSRF protections.	CWE-306
csrftoken	request body	dataBases/upgrademysqlstatus	Pre-auth RCE via upgrade mysql status endpoint by injecting commands in statusfile, bypassing CSRF protections.	CWE-306
domainName	nested form-data (multipart)	filemanager/upload	CSRF-bypass/command-injection through completePath parameter in filemanager/upload endpoint.	CWE-306
completePath	nested form-data (multipart)	filemanager/upload	CSRF-bypass/command-injection through completePath parameter in filemanager/upload endpoint.	CWE-306
file	nested form-data (multipart)	filemanager/upload	CSRF-bypass/command-injection through completePath parameter in filemanager/upload endpoint.	CWE-306
statusfile	request body	ftp/getresetstatus	RCE via statusfile parameter on ftp/getresetstatus bypassing protections.	CWE-306
csrftoken	request body	ftp/getresetstatus	RCE via statusfile parameter on ftp/getresetstatus bypassing protections.	CWE-306
statusfile	request body	dns/getresetstatus	RCE via statusfile parameter on dns/getresetstatus bypassing protections.	CWE-306
csrftoken	request body	dns/getresetstatus	RCE via statusfile parameter on dns/getresetstatus bypassing protections.	CWE-306

17 Jun 2026 08:05Current

8.4High risk

Vulners AI Score8.4

CVSS 3.19.8 - 10

EPSS0.86725

SSVC

CWE-306 In Wild

cyberpanel upgrademysqlstatus authentication bypass arbitrary commands remote attackers shell metacharacters psaux october 2024 databases/views.py security vulnerability unpatched