cbcvebase.
CVE-2024-53584
published 2025-01-31

CVE-2024-53584: OpenPanel v0.3.4 was discovered to contain an OS command injection vulnerability via the timezone parameter.

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.11%
89.5th percentile
OpenPanel v0.3.4 was discovered to contain an OS command injection vulnerability via the timezone parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
openpanelopenpanel

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /server/timezone
commandtimezone=;cat+/etc/shadow+>+/home/stefan/secret.txt
port2083
path/server/timezone
  • Detect OS command injection attempts against the OpenPanel timezone endpoint by inspecting POST body to /server/timezone for shell metacharacters (e.g., semicolons, pipes, backticks) within the 'timezone' parameter.
  • Monitor POST requests to /server/timezone on port 2083 (OpenPanel default) for anomalous timezone values that do not match standard IANA timezone strings.
  • Alert on Content-Type: application/x-www-form-urlencoded POST requests to /server/timezone where the body contains URL-encoded shell command separators such as %3B (;) or command strings like 'cat', 'shadow', or redirection operators.
  • ·The exploit was tested against OpenPanel v0.3.4 specifically; other versions may or may not be vulnerable. Confirm version before applying detections.
  • ·The exploit was tested on macOS; behavior on Linux-based production deployments of OpenPanel may differ slightly in command execution context.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.