CVE-2025-34430
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 1panel | 1panel | 2.0.15 |
| 1panel | 1panel | 1.10.33 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this CSRF vulnerability, immediately update 1Panel to a version later than 2.0.15 where the issue is fixed. If an update is not possible, implement CSRF protections such as anti-CSRF tokens or Origin/Referer header validation on the panel name management endpoint to prevent unauthorized requests. Additionally, educate users to avoid visiting untrusted webpages while authenticated to the panel.
Can you explain this vulnerability to me?
This vulnerability is a cross-site request forgery (CSRF) issue in 1Panel versions 1.10.33 through 2.0.15 affecting the panel name management functionality. The affected endpoint lacks CSRF protections like anti-CSRF tokens or Origin/Referer validation. An attacker can create a malicious webpage that, when visited by an authenticated user, submits a request to change the panel name without the user's consent, using the user's valid session cookies.
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to change the victim's panel name to any arbitrary value without their consent. This unauthorized change can lead to confusion, misrepresentation, or potential misuse of the panel's identity, possibly affecting the integrity and trustworthiness of the system.