aaPanel up to and including 6.6.6 allows remote authenticated users to execute arbitrary commands via the Script Content box on the Add Cron Job screen.
aapanel
aapanel 666 - CVE-2020-14950
Description : allows remote authenticated users to execute arbitrary commands via the setting menu of Sotfware Store
Affected version : All <= 666
Information
To make this PoC, I just installed the software using docker-compose
Vulnerability Type : Remote command execution (Authenticated RCE)
POC
Go to Software Store, click o