CVE-2024-2352

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-2352

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-2352.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-2352

Aliases

Published

2024-03-10T02:16:08.767Z

Modified

2026-04-10T05:09:32.319945Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability, which was classified as critical, has been found in 1Panel up to 1.10.1-lts. Affected by this issue is the function baseApi.UpdateDeviceSwap of the file /api/v1/toolbox/device/update/swap. The manipulation of the argument Path with the input 123123123\nopen -a Calculator leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-256304.

References

Affected packages

Git / github.com/1panel-dev/1panel

Affected ranges

Type

GIT

Repo

https://github.com/1panel-dev/1panel

Events

Introduced

Fixed

3cd0c89c4ca46d0dd37aa5ae8a40d91febdf41ea

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.10.2-lts"
        }
    ]
}

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.10.0-lts

v1.10.1-lts

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.5.0

v1.5.1

v1.6.0

v1.6.1

v1.7.0

v1.7.1

v1.8.0

v1.8.1

v1.8.2

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-2352.json"