Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious locale and namespace parameters. This allows the attacker to include and execute arbitrary PHP files on the server. This issue has been patched in version 4.4.1. A temporary workaround involves implementing strict Web Application Firewall (WAF) rules to incoming requests targeting the vulnerable endpoints.
The vulnerability (CWE-22/CWE-98) consists of the lack of proper validation of the locale and namespace parameters in HTTP requests directed to the LocaleController component. An attacker sends a specially crafted HTTP request containing path traversal sequences in these parameters, which allows specifying and including any PHP file located on the server. The mechanism of including PHP files without authentication and without path restriction constitutes a Remote Code Execution (RCE) vector.
An attacker can remotely execute arbitrary PHP code on the server without any authentication, which in practice means complete server compromise — data theft, backdoor installation, and takeover of managed virtual machines.
Convoy must be immediately updated to version 4.4.1, in which the vulnerability has been patched. As a temporary workaround until the patch is deployed, it is recommended to apply restrictive Web Application Firewall (WAF) rules blocking requests to vulnerable endpoints.
Convoy (KVM server management panel by Performave) in versions from 3.9.0-rc3 to before 4.4.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H