CVE-2024-27288

MEDIUM6.3EPSS 0.59%

1Panel open source panel project has an unauthorized vulnerability.

Published: 3/6/2024Modified: 2/11/2025

Also known as:GHSA-26w3-q4j8-4xjpGO-2024-2613

Description

### Impact The steps are as follows: 1. Access https://IP:PORT/ in the browser, which prompts the user to access with a secure entry point. ![image](https://github.com/1Panel-dev/1Panel/assets/46734380/8dc7d81c-6cc3-4b5d-a1d4-d3c5ed2de005) 2. Use Burp to intercept: ![image](https://github.com/1Panel-dev/1Panel/assets/46734380/f8e93d08-1b66-4434-8923-2e8e3dedebe3) When opening the browser and entering the URL (allowing the first intercepted packet through Burp), the following is displayed: ![image](https://github.com/1Panel-dev/1Panel/assets/46734380/118c0102-7c89-404d-834a-88a644482afc) It is found that in this situation, we can access the console page (although no data is returned and no modification operations can be performed)." Affected versions: <= 1.10.0-lts ### Patches The vulnerability has been fixed in v1.10.1-lts. ### Workarounds It is recommended to upgrade the version to 1.10.1-lts. ### References If you have any questions or comments about this advisory: Open an issue in https://github.com/1Panel-dev/1Panel Email us at [email protected]

Affected packages (2)

Go/github.com/1Panel-dev/1Panelfrom 0, < 1.10.1-lts
Go/github.com/1Panel-dev/1Panelfrom 0, < 1.10.1-lts

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Description

Affected packages (2)

CVSS scores

References (5)