Vulnerabilities > CVE-2023-39966 - Missing Authorization vulnerability in Fit2Cloud 1Panel 1.4.3

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

fit2cloud

CWE-862

critical

NVD

Published: 2023-08-10

Updated: 2023-09-08

Summary

1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue.

Vulnerable Configurations

Part	Description	Count
Application	Fit2Cloud Fit2Cloud 1Panel 1.4.3	1

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0
https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4