CVE-2021-34257: Unrestricted Upload of File with Dangerous Type

April 1, 2022 (updated April 12, 2022)

Multiple Remote Code Execution (RCE) vulnerabilities exist in WPanel 4 4.3.1 and below via a malicious PHP file upload to (1) Dashboard’s Avatar image, (2) Posts Folder image, (3) Pages Folder image and (4) Gallery Folder image.

References

github.com/Sentinal920/WPanel4-Authenticated-RCE
github.com/advisories/GHSA-vhgr-gfx3-fg37
latestpcsolution.wordpress.com/2021/06/05/wpanel4-cms-authenticated-rce/
nvd.nist.gov/vuln/detail/CVE-2021-34257

Code Behaviors & Features

Detect and mitigate CVE-2021-34257 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →