CVE-2023-35885: 
CloudPanel vulnerability analysis and mitigation

CloudPanel 2 versions before 2.3.1 contained a critical authentication bypass vulnerability (CVE-2023-35885) in its file manager component. The vulnerability was discovered on June 1, 2023, and was assigned a CVSS v3.1 base score of 9.8 (Critical). The issue affected CloudPanel versions from 2.0.0 to 2.3.0 and was patched in version 2.3.1 released on June 20, 2023 (Datack Blog, CloudPanel Changelog).

The vulnerability stemmed from insecure file-manager cookie authentication. The root cause was traced to the usage of default secret keys and the default user 'clp'. The file manager component lacked proper session authentication, resulting in broken access control when the encrypted 'clp-fm' cookie value was inserted with the default secret key. The decrypted cookie value contained a serialized string that could be manipulated to change the user value to the default 'clp' user, which had elevated privileges (Datack Blog, AttackerKB).

The vulnerability allowed attackers to gain unauthorized access to the file manager, enabling them to upload malicious files to the CloudPanel main directory. Since the default 'clp' user had sudo privileges without password requirements (sudo nopasswd), successful exploitation could lead to complete system compromise with root-level access (Datack Blog).

The vulnerability was patched in CloudPanel version 2.3.1. Users are strongly advised to upgrade to this version or later to mitigate the risk. The patch addresses the insecure file manager cookie authentication issue (CloudPanel Changelog).