Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2024-24768

CVE-2024-24768:
1Panel set-cookie is missing the Secure keyword

3.5

CVSS Score

Basic Information

CVE ID
CVE-2024-24768
GHSA ID
GHSA-9xfw-jjq2-7v8h
EPSS Score
-
CWE
CWE-311
Published
2/5/2024
Updated
1/20/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/1Panel-dev/1Panelgo<= 1.9.51.9.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper Secure flag handling in cookie operations across authentication flows. The patch demonstrates three key fixes: 1) In auth.go's generateSession, added HTTPS check before SetCookie 2) In auth.go's LogOut, added secure flag conditional 3) In setting.go's UpdateSSL, added cookie refresh after SSL changes. These functions all handled session cookies without properly respecting the HTTPS configuration state prior to patching, making them clear points of exposure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T** *ttps *ooki* t**t *om*s wit* t** p*n*l *o*s not **v* t** S**ur* k*ywor*, w*i** m*y **us* t** *ooki* to ** s*nt in pl*in t*xt w**n ****ssin* *ttp ***i**nt*lly. *ttps://**v*lop*r.mozill*.or*/z*-*N/*o*s/W**/*TTP/*****rs/S*t-*ooki*#s**ur

Reasoning

T** vuln*r**ility st*ms *rom improp*r S**ur* *l** **n*lin* in *ooki* op*r*tions **ross *ut**nti**tion *lows. T** p*t** **monstr*t*s t*r** k*y *ix*s: *) In *ut*.*o's **n*r*t*S*ssion, ***** *TTPS ****k ***or* S*t*ooki* *) In *ut*.*o's Lo*Out, ***** s**