CVE-2024-53584

CriticalPublic PoC

Published: 31 January 2025

Published

31 January 2025

Modified

23 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0329 87.3th percentile

Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Description

OpenPanel v0.3.4 was discovered to contain an OS command injection vulnerability via the timezone parameter.

Security Summary

CVE-2024-53584 is an OS command injection vulnerability affecting OpenPanel version 0.3.4, exploitable through the timezone parameter. Published on 2025-01-31, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical, and maps to CWE-78 for improper neutralization of special elements in OS commands.

Remote attackers require no authentication, privileges, or user interaction and can exploit the flaw over the network with low attack complexity. Successful exploitation enables arbitrary OS command execution, granting high-impact access to confidentiality, integrity, and availability, which could lead to full system compromise.

Advisories reference OpenPanel's changelog for version 0.3.5, which includes security fixes for this issue (https://openpanel.com/docs/changelog/0.3.5/#%EF%B8%8F-security-fixes). Further technical details are available on PacketStorm (https://packetstorm.news/files/id/188915/).

Details

CWE(s): CWE-78

Affected Products

openpanel

0.3.4

References

https://openpanel.com/docs/changelog/0.3.5/#%EF%B8%8F-security-fixes
Broken Link · cve@mitre.org
https://packetstorm.news/files/id/188915/
Exploit · cve@mitre.org