CVE-2025-34429
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 1panel | 1panel | 2.0.15 |
| 1panel | 1panel | 1.10.33 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site request forgery (CSRF) in 1Panel versions 1.10.33 to 2.0.15 affecting the web port configuration functionality. The port-change endpoint does not have protections like anti-CSRF tokens or Origin/Referer validation. An attacker can create a malicious webpage that, when visited by an authenticated user, sends a port-change request using the user's valid session cookies. This allows the attacker to change the port on which the 1Panel web service listens without the user's consent.
How can this vulnerability impact me? :
The vulnerability can cause service disruption or denial of service by changing the port on which the 1Panel web service listens, resulting in loss of access on the original port. Additionally, it may unintentionally expose the service on an attacker-chosen port, potentially increasing security risks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately restrict access to the 1Panel web service to trusted users only, avoid visiting untrusted webpages while authenticated to the 1Panel service, and monitor for unexpected changes in the web service port. Additionally, update 1Panel to a version later than 2.0.15 once available that includes CSRF protections such as anti-CSRF tokens or Origin/Referer validation.