CVE-2024-53537

Critical

Published: 31 January 2025

Published

31 January 2025

Modified

02 October 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0606 90.8th percentile

Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Description

An issue in OpenPanel v0.3.4 to v0.2.1 allows attackers to execute a directory traversal in File Actions of File Manager.

Security Summary

CVE-2024-53537 is a directory traversal vulnerability (CWE-22) affecting OpenPanel versions from v0.2.1 to v0.3.4. It resides in the File Actions feature of the File Manager component, where insufficient input validation allows attackers to access files outside the intended directory. The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical), reflecting network accessibility (AV:N), low attack complexity (AC:L), no required privileges (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality and integrity impacts (C:H/I:H), and no availability impact (A:N).

Remote, unauthenticated attackers can exploit this vulnerability over the network by crafting malicious requests to the File Manager's File Actions endpoint. Successful exploitation enables arbitrary file reads and modifications on the server, potentially leading to data exfiltration, tampering with sensitive configurations, or further compromise of the hosting environment.

The OpenPanel changelog for version 0.3.5 documents security fixes addressing this issue, recommending an upgrade to mitigate the vulnerability (https://openpanel.com/docs/changelog/0.3.5/#%EF%B8%8F-security-fixes). Additional details are available in the Packet Storm advisory (https://packetstorm.news/files/id/188913/).

Details

CWE(s): CWE-22

Affected Products

openpanel

0.2.1 — 0.3.4

References

https://openpanel.com/docs/changelog/0.3.5/#%EF%B8%8F-security-fixes
Broken Link · cve@mitre.org
https://packetstorm.news/files/id/188913/
Third Party Advisory · cve@mitre.org