CVE-2023-38941

Vulnerability

A remote command execution (RCE) vulnerability exists in django-sspanel v2022.2.2, specifically in the component sspanel/admin_view.py within the GoodsCreateView._post method [1]. The vulnerability arises from insufficient input validation in the goods creation endpoint, allowing arbitrary OS command injection when the application processes crafted data [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request to the goods creation endpoint of the admin interface [1]. No authentication appears required to reach the vulnerable code path, enabling unauthenticated remote exploitation [1]. The attack vector is network-based and requires no user interaction [1].

Impact

Successful exploitation allows an attacker to achieve remote code execution (RCE) on the underlying server [1]. This grants the attacker full control over the affected system, enabling arbitrary command execution, data exfiltration, and potential lateral movement within the network [1].

Mitigation

As of the publication date (August 3, 2023), no official fix or patch has been released for this vulnerability. The repository was archived by the owner on March 27, 2025, and is now read-only [1], indicating the project is end-of-life. Users should immediately isolate any instances of django-sspanel v2022.2.2 and consider migrating to an alternative solution. No known workarounds are available [1].