aaPanel Arbitrary File Upload Vulnerability Allowing Code Execution

A vulnerability allowing arbitrary file upload has been identified in aaPanel version 7.57.0. This issue arises from inadequate validation of uploaded files, particularly images, enabling attackers to upload malicious SVG files containing executable code. Once uploaded, these files can be accessed and executed, leading to unauthorized code execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where aaPanel is installed.

Reproduction

To reproduce this vulnerability, upload a crafted SVG file containing malicious JavaScript payloads through the aaPanel interface. The file will be stored and can be accessed via the application's asset delivery pipeline, where it will be executed by the browser, resulting in a stored cross-site scripting (XSS) attack. This vulnerability can also be exploited to perform a local file inclusion (LFI) attack, according to the author.