GHSA-x2vg-5wrf-vj6v

Suggest an improvement
Source
https://github.com/advisories/GHSA-x2vg-5wrf-vj6v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-x2vg-5wrf-vj6v/GHSA-x2vg-5wrf-vj6v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x2vg-5wrf-vj6v
Aliases
Published
2024-03-10T03:30:45Z
Modified
2024-06-04T16:56:41.720865Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
1Panel is vulnerable to command injection
Details

1Panel is vulnerable to command injection. This vulnerability has been classified as critical, has been found in 1Panel up to 1.10.1-lts. Affected by this issue is the function baseApi.UpdateDeviceSwap of the file /api/v1/toolbox/device/update/swap. The manipulation of the argument Path with the input 123123123\nopen -a Calculator leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-256304.

Database specific
{
    "nvd_published_at": "2024-03-10T02:16:08Z",
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-11T14:00:13Z"
}
References

Affected packages

Go / github.com/1Panel-dev/1Panel

Package

Name
github.com/1Panel-dev/1Panel
View open source insights on deps.dev
Purl
pkg:golang/github.com/1Panel-dev/1Panel

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.1-lts