CVSS: 10.0EPSS: 33%CPEs: 1EXPL: 0CVE-2024-39911 – 1Panel SQL injection
https://notcve.org/view.php?id=CVE-2024-39911
18 Jul 2024 — 1Panel is a web-based linux server management control panel. 1Panel contains an unspecified sql injection via User-Agent handling. This issue has been addressed in version 1.10.12-lts. Users are advised to upgrade. There are no known workarounds for this vulnerability. 1Panel es un panel de control de gestión de servidores Linux basado en web. 1Panel contiene una inyección de SQL no especificada mediante el manejo de User-Agent. Este problema se solucionó en la versión 1.10.12-lts. • https://blog.mo60.cn/index.php/archives/1Panel_SQLinjection2Rce.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34352 – Arbitrary file write vulnerability in 1Panel
https://notcve.org/view.php?id=CVE-2024-34352
09 May 2024 — 1Panel is an open source Linux server operation and maintenance management panel. Prior to v1.10.3-lts, there are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The mirror configuration write symbol `>` can be used to achieve arbitrary file writing. This vulnerability is fixed in v1.10.3-lts. 1Panel es un panel de gestión de operación y mantenimiento de servidores Linux de código abierto. Antes de v1.10.3-lts,... • https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-f8ch-w75v-c847 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30257 – 1Panel's password verification is suspected to have a timing attack vulnerability
https://notcve.org/view.php?id=CVE-2024-30257
18 Apr 2024 — 1Panel is an open source Linux server operation and maintenance management panel. The password verification in the source code uses the != symbol instead hmac.Equal. This may lead to a timing attack vulnerability. This vulnerability is fixed in 1.10.3-lts. 1Panel es un panel de gestión de operación y mantenimiento de servidores Linux de código abierto. • https://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26 • CWE-203: Observable Discrepancy •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27288 – 1Panel open source panel project has an unauthorized vulnerability.
https://notcve.org/view.php?id=CVE-2024-27288
06 Mar 2024 — 1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.10.1-lts, users can use Burp to obtain unauthorized access to the console page. The vulnerability has been fixed in v1.10.1-lts. There are no known workarounds. 1Panel es un panel de gestión de operación y mantenimiento de servidores Linux de código abierto. Antes de la versión 1.10.1-lts, los usuarios podían usar Burp para obtener acceso no autorizado a la página de la consola. • https://github.com/1Panel-dev/1Panel/releases/tag/v1.10.1-lts • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24768 – 1Panel set-cookie is missing the Secure keyword
https://notcve.org/view.php?id=CVE-2024-24768
05 Feb 2024 — 1Panel is an open source Linux server operation and maintenance management panel. The HTTPS cookie that comes with the panel does not have the Secure keyword, which may cause the cookie to be sent in plain text if accessed using HTTP. This issue has been patched in version 1.9.6. 1Panel es un panel de gestión de operación y mantenimiento de servidores Linux de código abierto. La cookie HTTPS que viene con el panel no tiene la palabra clave Secure, lo que puede hacer que la cookie se envíe en texto plano si ... • https://github.com/1Panel-dev/1Panel/commit/1169648162c4b9b48e0b4aa508f9dea4d6bc50d5 • CWE-311: Missing Encryption of Sensitive Data CWE-315: Cleartext Storage of Sensitive Information in a Cookie •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39966 – 1Panel arbitrary file write vulnerability exists in the background
https://notcve.org/view.php?id=CVE-2023-39966
10 Aug 2023 — 1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue. 1Panel es un panel de gestión de operación y mantenimiento de... • https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39965 – 1Panel Unauthorized access in Backend
https://notcve.org/view.php?id=CVE-2023-39965
10 Aug 2023 — 1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, authenticated attackers can download arbitrary files through the API interface. This code has unauthorized access. Attackers can freely download the file content on the target system. This may cause a large amount of information leakage. • https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0 • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39964 – 1Panel O&M management panel has a background arbitrary file reading vulnerability
https://notcve.org/view.php?id=CVE-2023-39964
10 Aug 2023 — 1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, arbitrary file reads allow an attacker to read arbitrary important configuration files on the server. In the `api/v1/file.go` file, there is a function called `LoadFromFile`, which directly reads the file by obtaining the requested path `parameter[path]`. The request parameters are not filtered, resulting in a background arbitrary file reading vulnerability. Version 1.5.0 has a patch for this issue. • https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37477 – Command injection in firewall ip functionality in 1Panel
https://notcve.org/view.php?id=CVE-2023-37477
18 Jul 2023 — 1Panel is an open source Linux server operation and maintenance management panel. An OS command injection vulnerability exists in 1Panel firewall functionality. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. 1Panel firewall functionality `/hosts/firewall/ip` endpoint read user input without validation, the attacker extends the default functionality of the application, which execute system commands. A... • https://github.com/1Panel-dev/1Panel/commit/e17b80cff4975ee343568ff526b62319f499005d • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 1CVE-2023-36457 – 1Panel vulnerable to command injection when adding container repositories
https://notcve.org/view.php?id=CVE-2023-36457
05 Jul 2023 — 1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.3.6, an authenticated attacker can craft a malicious payload to achieve command injection when adding container repositories. The vulnerability has been fixed in v1.3.6. • https://github.com/1Panel-dev/1Panel/releases/tag/v1.3.6 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •