-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a Cross-Site Request Forgery (CSRF) in the web port configuration functionality of 1Panel. The advisory states that the port-change endpoint lacks CSRF defenses. By analyzing the application's routing, I identified that the POST /settings/port/update route is handled by the UpdatePort function in the BaseApi. This function is responsible for changing the web service's listening port. Since the advisory explicitly mentions the lack of CSRF protection on this functionality, and the router points to this function, it is highly probable that UpdatePort is the vulnerable function. The vulnerability allows an attacker to craft a malicious request to change the application's port, which will be executed if a logged-in user visits a page containing the request. This can lead to a denial of service.
github.com/1Panel-dev/1Panel/core/app/api/v2.(*BaseApi).UpdatePortcore/app/api/v2/base.go
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/1Panel-dev/1Panel | go | >= 1.10.33, <= 2.0.15 |