Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS0yNnczLXE0ajgtNHhqcM4AA5zI

1Panel open source panel project has an unauthorized vulnerability.

Impact

The steps are as follows:

1. Access https://IP:PORT/ in the browser, which prompts the user to access with a secure entry point.
   

2. Use Burp to intercept:
   

When opening the browser and entering the URL (allowing the first intercepted packet through Burp), the following is displayed:

It is found that in this situation, we can access the console page (although no data is returned and no modification operations can be performed)."

Affected versions: <= 1.10.0-lts

Patches

The vulnerability has been fixed in v1.10.1-lts.

Workarounds

It is recommended to upgrade the version to 1.10.1-lts.

References

If you have any questions or comments about this advisory:

Open an issue in https://github.com/1Panel-dev/1Panel
Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-26w3-q4j8-4xjp
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yNnczLXE0ajgtNHhqcM4AA5zI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 10 months ago

CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS Percentage: 0.00043
EPSS Percentile: 0.10511

Identifiers: GHSA-26w3-q4j8-4xjp, CVE-2024-27288
References:

• https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-26w3-q4j8-4xjp
• https://github.com/1Panel-dev/1Panel/releases/tag/v1.10.1-lts
• https://nvd.nist.gov/vuln/detail/CVE-2024-27288
• https://github.com/1Panel-dev/1Panel/pull/4014
• https://github.com/advisories/GHSA-26w3-q4j8-4xjp

Repository: https://github.com/1Panel-dev/1Panel
Blast Radius: 1.0

Affected Packages