Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-35885: Changelog | CloudPanel | Documentation

CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.

CVE
#google#amazon#ubuntu#debian#nodejs#js#git#wordpress#php#auth

v2.3.1 - [2023-06-20]#

Bug Fixes

  • #287 Colon in remote cloud backup breaks most filesystems
  • #290 File Manager Extract not working since v2.3.0
  • #293 Strange \n\n inside the certificate file used for custom domain.
  • Translation Fixes

Security

  • Critical (CVE-2023-35885): Insecure file manager cookie authentication (Muhammad Aizat, datack.my)
  • Insecure File Upload leads to Privilege Escalation and Authentication Bypass (Muhammad Zulfiqar)

v2.3.0 - [2023-06-06]#

New

  • Translation: Bulgarian
  • New CloudPanel CLI Root Commands:
    • User:
      • user:add
      • user:delete
      • user:list
    • Site:
      • site:install:certificate

Enhancements

  • The site user name and password can be entered manually for new WordPress sites.

Bug Fixes

  • #278 CLI need normalize domain name field
  • #284 CLPCTL - Problem with special characters in password result false error
  • Translation Fixes

Security

  • Critical (CVE-2023-33747): Privilege Escalation to root from user. Big thanks to Muhammad (datack.my, host.sabily.info) for reporting and testing
  • OS Command Injection. Big thanks to Laurence from crowdsec.net for reporting and testing

v2.2.2 - [2023-04-03]#

New

  • MariaDB 10.11 LTS Support
  • Hebrew
  • Japanese

Bug Fixes

  • #245 New Reverse Proxy | root folder permission in htdocs www.site.com folders
  • #254 Site path / copy and paste issues
  • Translation Fixes

v2.2.1 - [2023-02-27]#

New

  • Reverse Proxy
  • Chinese (Simplified)
  • Chinese (Taiwan)

Bug Fixes

  • #210 Dark mode: Separating table borders missing
  • #220 Hetzner Snapshot cleanup throws an exception when delete protection is enabled on a snapshot
  • Translation Fixes

v2.2.0 - [2022-12-08]#

New

  • Add PHP 8.2 Support
  • Dark Mode
  • Node.js 18 LTS Support

Improvements

  • File Manager order Directories before Files

Bug Fixes

  • #208 Unable to create a WordPress site with a database server that doesn’t use the default port 3306
  • Translation Fixes

v2.1.0 - [2022-11-03]#

New

  • Varnish Cache Support

Improvements

  • Generate Password Link for Site User Password Update

Bug Fixes

  • #138 WordPress Admin login doesn’t work with passwords which contains special characters like
  • #150 Cron Job PHP version issue
  • #153 Backup Custom Rclone Config Time
  • Translation Fixes

v2.0.4 - [2022-09-08]#

New

  • Added Languages: Arabic, Ukrainian

Bug Fixes

  • #137 Remote backups don’t get deleted after configured retention period, it affects only the SFTP storage provider
  • Translation Fixes
  • MariaDB 10.9 Support

v2.0.3 - [2022-08-24]#

New

  • Remote Backup (Amazon S3, Wasabi, Digital Ocean Spaces, Dropbox, Google Drive, SFTP and Custom Rclone Config)
  • Added Languages: Italian, Indonesian, Spanish, Romanian, Russian, Polish, Vietnamese

Bug Fixes

  • #115 Using " in the additional directives configuration breaks CloudPanel
  • #122 Numeral in Domain Name Can’t Install Wordpress
  • #132 413 Request Entity Too Large, File Manager file upload over 512MB with custom domain

v2.0.2 - [2022-07-04]#

Bug Fixes

  • Remove FS_CHMOD_FILE and FS_CHMOD_DIR from default WP settings

v2.0.1 - [2022-07-04]#

New

  • Added Portuguese (Brasil) translation
  • Added Turkish translation
  • MariaDB 10.8 support for Ubuntu and Debian
  • Added Default WP settings:
    • WP_MEMORY_LIMIT: 256M
    • WP_MAX_MEMORY_LIMIT: 512M
    • FS_CHMOD_FILE: 0644
    • FS_CHMOD_DIR: 0755

Bug Fixes

  • Site User Name generation didn’t work with a two-level subdomain like wp.blog.eu.org
  • Translations fixes

v2.0.0 - [2022-06-20]#

  • Initial Release

  • v2.3.1 - 2023-06-20

  • v2.3.0 - 2023-06-06

  • v2.2.2 - 2023-04-03

  • v2.2.1 - 2023-02-27

  • v2.2.0 - 2022-12-08

  • v2.1.0 - 2022-11-03

  • v2.0.4 - 2022-09-08

  • v2.0.3 - 2022-08-24

  • v2.0.2 - 2022-07-04

  • v2.0.1 - 2022-07-04

  • v2.0.0 - 2022-06-20

Related news

CloudPanel 2.2.2 Privilege Escalation / Path Traversal

CloudPanel versions 2.0.0 through 2.2.2 suffer from a privilege escalation vulnerability when a traversal is leveraged against clpctlWrapper for which all normal users have sudo access.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907