Filtered by vendor Fit2cloud
                         Subscriptions
                    
                    
                
                        Filtered by product 1panel
                         Subscriptions
                    
                    
                
                    Total
                    14 CVE
                
            | CVE | Vendors | Products | Updated | CVSS v3.1 | 
|---|---|---|---|---|
| CVE-2025-54424 | 2 1panel, Fit2cloud | 2 1panel, 1panel | 2025-08-26 | 8.1 High | 
| 1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server. In versions 2.0.5 and below, the HTTPS protocol used for communication between the Core and Agent endpoints has incomplete certificate verification during certificate validation, leading to unauthorized interface access. Due to the presence of numerous command execution or high-privilege interfaces in 1Panel, this results in Remote Code Execution (RCE). This is fixed in version 2.0.6. The CVE has been translated from Simplified Chinese using GitHub Copilot. | ||||
| CVE-2024-24768 | 1 Fit2cloud | 1 1panel | 2025-06-17 | 6.5 Medium | 
| 1Panel is an open source Linux server operation and maintenance management panel. The HTTPS cookie that comes with the panel does not have the Secure keyword, which may cause the cookie to be sent in plain text if accessed using HTTP. This issue has been patched in version 1.9.6. | ||||
| CVE-2024-39911 | 1 Fit2cloud | 1 1panel | 2025-02-13 | 10 Critical | 
| 1Panel is a web-based linux server management control panel. 1Panel contains an unspecified sql injection via User-Agent handling. This issue has been addressed in version 1.10.12-lts. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-27288 | 1 Fit2cloud | 1 1panel | 2025-02-11 | 6.3 Medium | 
| 1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.10.1-lts, users can use Burp to obtain unauthorized access to the console page. The vulnerability has been fixed in v1.10.1-lts. There are no known workarounds. | ||||
| CVE-2024-30257 | 1 Fit2cloud | 1 1panel | 2025-02-11 | 3.9 Low | 
| 1Panel is an open source Linux server operation and maintenance management panel. The password verification in the source code uses the != symbol instead hmac.Equal. This may lead to a timing attack vulnerability. This vulnerability is fixed in 1.10.3-lts. | ||||
| CVE-2024-34352 | 1 Fit2cloud | 1 1panel | 2025-02-07 | 6.5 Medium | 
| 1Panel is an open source Linux server operation and maintenance management panel. Prior to v1.10.3-lts, there are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The mirror configuration write symbol `>` can be used to achieve arbitrary file writing. This vulnerability is fixed in v1.10.3-lts. | ||||
| CVE-2024-2352 | 1 Fit2cloud | 1 1panel | 2025-02-05 | 6.3 Medium | 
| A vulnerability, which was classified as critical, has been found in 1Panel up to 1.10.1-lts. Affected by this issue is the function baseApi.UpdateDeviceSwap of the file /api/v1/toolbox/device/update/swap. The manipulation of the argument Path with the input 123123123\nopen -a Calculator leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-256304. | ||||
| CVE-2024-39907 | 1 Fit2cloud | 1 1panel | 2024-11-21 | 9.8 Critical | 
| 1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues. | ||||
| CVE-2023-39966 | 1 Fit2cloud | 1 1panel | 2024-11-21 | 7.5 High | 
| 1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue. | ||||
| CVE-2023-39965 | 1 Fit2cloud | 1 1panel | 2024-11-21 | 6.5 Medium | 
| 1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, authenticated attackers can download arbitrary files through the API interface. This code has unauthorized access. Attackers can freely download the file content on the target system. This may cause a large amount of information leakage. Version 1.5.0 has a patch for this issue. | ||||
| CVE-2023-39964 | 1 Fit2cloud | 1 1panel | 2024-11-21 | 7.5 High | 
| 1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, arbitrary file reads allow an attacker to read arbitrary important configuration files on the server. In the `api/v1/file.go` file, there is a function called `LoadFromFile`, which directly reads the file by obtaining the requested path `parameter[path]`. The request parameters are not filtered, resulting in a background arbitrary file reading vulnerability. Version 1.5.0 has a patch for this issue. | ||||
| CVE-2023-37477 | 1 Fit2cloud | 1 1panel | 2024-11-21 | 7.2 High | 
| 1Panel is an open source Linux server operation and maintenance management panel. An OS command injection vulnerability exists in 1Panel firewall functionality. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. 1Panel firewall functionality `/hosts/firewall/ip` endpoint read user input without validation, the attacker extends the default functionality of the application, which execute system commands. An attacker can execute arbitrary code on the target system, which can lead to a complete compromise of the system. This issue has been addressed in commit `e17b80cff49` which is included in release version `1.4.3`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-36458 | 1 Fit2cloud | 1 1panel | 2024-11-21 | 6.3 Medium | 
| 1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.3.6, an authenticated attacker can craft a malicious payloads to achieve command injection when entering the container terminal. The vulnerability has been fixed in v1.3.6. | ||||
| CVE-2023-36457 | 1 Fit2cloud | 1 1panel | 2024-11-21 | 6.3 Medium | 
| 1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.3.6, an authenticated attacker can craft a malicious payload to achieve command injection when adding container repositories. The vulnerability has been fixed in v1.3.6. | ||||
                            
                                
                                
                                    Page 1 of 1.