CVE-2024-24320
published 2024-06-14CVE-2024-24320: Directory Traversal vulnerability in Mgt-commerce CloudPanel v.2.0.0 thru v.2.4.0 allows a remote attacker to obtain sensitive information and execute…
PriorityP354high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.02%
89.3th percentile
Directory Traversal vulnerability in Mgt-commerce CloudPanel v.2.0.0 thru v.2.4.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the service parameter of the load-logfiles function.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| f5 | big-ip_aam | — | — |
| f5 | big-ip_advanced_waf | — | — |
| f5 | big-ip_afm | — | — |
| f5 | big-ip_analytics | — | — |
| f5 | big-ip_apm | — | — |
| f5 | big-ip_asm | — | — |
| f5 | big-ip_automation_toolchain | — | — |
| f5 | big-ip_avr | — | — |
| f5 | big-ip_cgnat | — | — |
| f5 | big-ip_container_ingress_services | — | — |
| f5 | big-ip_dhd | — | — |
| f5 | big-ip_dns | — | — |
| f5 | big-ip_edge_gateway | — | — |
| f5 | big-ip_fps | — | — |
| f5 | big-ip_gtm | — | — |
| f5 | big-ip_link_controller | — | — |
| f5 | big-ip_ltm | — | — |
| f5 | big-ip_pem | — | — |
| f5 | big-ip_sslo | — | — |
| f5 | big-ip_webaccelerator | — | — |
| f5 | big-ip_websafe | — | — |
| mgt-commerce | cloudpanel | 2.0.0 – 2.4.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-82h5-9gw3-q456: Directory Traversal vulnerability in Mgt-commerce CloudPanel v
ghsa_unreviewed·2024-06-14
CVE-2024-24320 [HIGH] CWE-120 GHSA-82h5-9gw3-q456: Directory Traversal vulnerability in Mgt-commerce CloudPanel v
Directory Traversal vulnerability in Mgt-commerce CloudPanel v.2.0.0 thru v.2.4.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the service parameter of the load-logfiles function.
F5
CVE-2025-24320: A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility t...
vendor_f5·2025-02-05·CVSS 8.0
CVE-2025-24320 [HIGH] CWE-79 CVE-2025-24320: A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility t...
CVE-2025-24320: A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility t...
A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. This vulnerability is due to an incomplete fix for CVE-2024-31156 https://my.f5.com/manage/s/article/K000138636 .
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP AVR, BIG-IP Advanced WAF, BIG-IP Analytics, BIG-IP CGNAT, BIG-IP DHD, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PE
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-06-14
Published