CVE-2025-34410
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 1panel | 1panel | 2.0.15 |
| 1panel | 1panel | 1.10.33 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site request forgery (CSRF) issue in 1Panel versions 1.10.33 to 2.0.15 affecting the Change Username functionality. The endpoint lacks CSRF protections like anti-CSRF tokens or Origin/Referer validation. An attacker can create a malicious webpage that, when visited by an authenticated user, submits a request to change the user's username without their consent. This causes the victim to be logged out and locked out of their account because they cannot log in with the previous username.
How can this vulnerability impact me? :
The vulnerability can lead to an attacker changing your 1Panel username without your consent, resulting in you being logged out and unable to log back in with your previous username. This effectively locks you out of your account, causing a denial of service.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update 1Panel to a version later than 2.0.15 where the CSRF vulnerability is fixed. If an update is not possible, implement additional CSRF protections such as anti-CSRF tokens or Origin/Referer header validation on the Change Username endpoint. Additionally, monitor for suspicious username change requests and consider restricting access to the settings panel to trusted users only.