CVE Catalog

CVE-2025-34430

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile - higher than 8% of all known CVEs

Summary

CSRF vulnerability in 1Panel versions 1.10.33 through 2.0.15 in the panel name management functionality. Lack of CSRF defenses (tokens, Origin/Referer validation) allows an attacker to change the victim's panel name without consent via a crafted webpage.

Risk Assessment

An attacker can change the administrator's panel name to an arbitrary value, potentially leading to confusion, loss of trust, or further social engineering attacks.

Recommendation

Immediately update 1Panel to version 2.0.16 or later, which includes the CSRF fix. As a temporary mitigation, implement additional Origin/Referer header validation at the proxy level.

Original NVD description (English source)

1Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the panel name management functionality. The affected endpoint does not implement CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a panel-name change request; if a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows a remote attacker to change the victim’s panel name to an arbitrary value without consent.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS