Hello and welcome to the Wednesday, October 30th, 2024 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich and then I'm recording from Jacksonville, Florida.

Well, let's start today with vulnerability in CyberPanel. CyberPanel is one of those web applications that are often used by virtual hosting

providers to allow customers to manage their servers so you can enable various services like

S-H or FTP if you insist and do it all via a convenient web-based interface.

Software like this has had a rich history of vulnerabilities, C-Panel and such is a very similar

tool, probably a little bit more used than CyberPanel.

And this new vulnerability, which was patched only today, does allow random code execution without authentication.

The vulnerability was found by Trey Ant, that's the alias being used here, and was reported to CyberPanel who did release that patch today.

I'm not exactly sure how the exact disclosure here worked looks like it was only reported

like a week or so ago, so CyberPanel was pretty quick with coming up with a patch for this

particular issue, but the blog post by Treyand does also outline some sort of more structural fundamental issues

with the software that make it likely that there are other similar vulnerabilities present

here.

So if you're using CyberPanel, definitely be careful.

As usual, try to restrict access, which can be tricky in these situations, and well,

maybe learn how to administer your servers with SSH.

And sticking with web applications here, we do also have a new fix for vulnerability in Spring.

Spring, of course, is one of those components that often pops up with critical vulnerabilities.

This one has a CVS score of 9.1.

However, the applicability of this particular vulnerability is a little bit

more limited. It does affect Spring Web Flux applications that rely on Spring Security

...