Headline
CVE-2023-35885: Changelog | CloudPanel | Documentation
CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.
v2.3.1 - [2023-06-20]#
Bug Fixes
- #287 Colon in remote cloud backup breaks most filesystems
- #290 File Manager Extract not working since v2.3.0
- #293 Strange \n\n inside the certificate file used for custom domain.
- Translation Fixes
Security
- Critical (CVE-2023-35885): Insecure file manager cookie authentication (Muhammad Aizat, datack.my)
- Insecure File Upload leads to Privilege Escalation and Authentication Bypass (Muhammad Zulfiqar)
v2.3.0 - [2023-06-06]#
New
- Translation: Bulgarian
- New CloudPanel CLI Root Commands:
- User:
- user:add
- user:delete
- user:list
- Site:
- site:install:certificate
- User:
Enhancements
- The site user name and password can be entered manually for new WordPress sites.
Bug Fixes
- #278 CLI need normalize domain name field
- #284 CLPCTL - Problem with special characters in password result false error
- Translation Fixes
Security
- Critical (CVE-2023-33747): Privilege Escalation to root from user. Big thanks to Muhammad (datack.my, host.sabily.info) for reporting and testing
- OS Command Injection. Big thanks to Laurence from crowdsec.net for reporting and testing
v2.2.2 - [2023-04-03]#
New
- MariaDB 10.11 LTS Support
- Hebrew
- Japanese
Bug Fixes
- #245 New Reverse Proxy | root folder permission in htdocs www.site.com folders
- #254 Site path / copy and paste issues
- Translation Fixes
v2.2.1 - [2023-02-27]#
New
- Reverse Proxy
- Chinese (Simplified)
- Chinese (Taiwan)
Bug Fixes
- #210 Dark mode: Separating table borders missing
- #220 Hetzner Snapshot cleanup throws an exception when delete protection is enabled on a snapshot
- Translation Fixes
v2.2.0 - [2022-12-08]#
New
- Add PHP 8.2 Support
- Dark Mode
- Node.js 18 LTS Support
Improvements
- File Manager order Directories before Files
Bug Fixes
- #208 Unable to create a WordPress site with a database server that doesn’t use the default port 3306
- Translation Fixes
v2.1.0 - [2022-11-03]#
New
- Varnish Cache Support
Improvements
- Generate Password Link for Site User Password Update
Bug Fixes
- #138 WordPress Admin login doesn’t work with passwords which contains special characters like
- #150 Cron Job PHP version issue
- #153 Backup Custom Rclone Config Time
- Translation Fixes
v2.0.4 - [2022-09-08]#
New
- Added Languages: Arabic, Ukrainian
Bug Fixes
- #137 Remote backups don’t get deleted after configured retention period, it affects only the SFTP storage provider
- Translation Fixes
- MariaDB 10.9 Support
v2.0.3 - [2022-08-24]#
New
- Remote Backup (Amazon S3, Wasabi, Digital Ocean Spaces, Dropbox, Google Drive, SFTP and Custom Rclone Config)
- Added Languages: Italian, Indonesian, Spanish, Romanian, Russian, Polish, Vietnamese
Bug Fixes
- #115 Using " in the additional directives configuration breaks CloudPanel
- #122 Numeral in Domain Name Can’t Install Wordpress
- #132 413 Request Entity Too Large, File Manager file upload over 512MB with custom domain
v2.0.2 - [2022-07-04]#
Bug Fixes
- Remove FS_CHMOD_FILE and FS_CHMOD_DIR from default WP settings
v2.0.1 - [2022-07-04]#
New
- Added Portuguese (Brasil) translation
- Added Turkish translation
- MariaDB 10.8 support for Ubuntu and Debian
- Added Default WP settings:
- WP_MEMORY_LIMIT: 256M
- WP_MAX_MEMORY_LIMIT: 512M
- FS_CHMOD_FILE: 0644
- FS_CHMOD_DIR: 0755
Bug Fixes
- Site User Name generation didn’t work with a two-level subdomain like wp.blog.eu.org
- Translations fixes
v2.0.0 - [2022-06-20]#
Initial Release
v2.3.1 - 2023-06-20
v2.3.0 - 2023-06-06
v2.2.2 - 2023-04-03
v2.2.1 - 2023-02-27
v2.2.0 - 2022-12-08
v2.1.0 - 2022-11-03
v2.0.4 - 2022-09-08
v2.0.3 - 2022-08-24
v2.0.2 - 2022-07-04
v2.0.1 - 2022-07-04
v2.0.0 - 2022-06-20
Related news
CloudPanel versions 2.0.0 through 2.2.2 suffer from a privilege escalation vulnerability when a traversal is leveraged against clpctlWrapper for which all normal users have sudo access.
CloudPanel v2.2.2 allows attackers to execute a path traversal.