CyberPanel Stored Cross-Site Scripting Vulnerability in AI Scanner Dashboard

A stored cross-site scripting vulnerability has been identified in CyberPanel versions prior to 2.4.4. The issue resides in the AI Scanner dashboard, specifically within the POST /api/ai-scanner/callback endpoint, which lacks authentication. This vulnerability allows unauthenticated attackers to inject malicious JavaScript by overwriting the findings_json field of ScanHistory records. The injected JavaScript executes in the context of an administrator's authenticated session when the AI Scanner dashboard is accessed. This exploitation enables the attacker to make same-origin requests to schedule cron jobs, ultimately leading to remote code execution on the server.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of an administrator's session. This XSS is then leveraged to execute arbitrary code on the server via a scheduled cron job.

Reproduction

To reproduce this vulnerability, first, trigger a legitimate scan using the CyberPanel AI Scanner feature to generate a valid scan ID. Once the scan is complete, the same-origin POST /api/ai-scanner/callback endpoint can be accessed without authentication. Inject malicious JavaScript into the findings_json field by crafting a payload that includes the scan ID and the XSS payload. After the injection, access the AI Scanner dashboard as an administrator to execute the injected script.

Remediation

Users are advised to update CyberPanel to version 2.4.4 or later, where this vulnerability has been fixed.