CVE-2025-34410
published 2025-12-10CVE-2025-34410: 1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings…
PriorityP431high7.1CVSS 3.1
AVNACLPRNUIRSUCNILAH
EPSS
0.13%
2.8th percentile
1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim’s 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and denial of service.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fit2cloud | 1panel | 1.10.33-lts – 2.0.15 | — |
| github.com | 1panel-dev_1panel | 1.10.33 – 2.0.15 | — |
| lxware | 1panel | 1.10.33 – 2.0.15 | — |
| msrc | cbl2_qt5-qtbase_5.12.11-15_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
nvdv4.07.0HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_msrc5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
1Panel contains a cross-site request forgery (CSRF) vulnerability in the Change Username functionality in github.com/1Panel-dev/1Panel
osv·2025-12-15
CVE-2025-34410 1Panel contains a cross-site request forgery (CSRF) vulnerability in the Change Username functionality in github.com/1Panel-dev/1Panel
1Panel contains a cross-site request forgery (CSRF) vulnerability in the Change Username functionality in github.com/1Panel-dev/1Panel
1Panel contains a cross-site request forgery (CSRF) vulnerability in the Change Username functionality in github.com/1Panel-dev/1Panel.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: .
GHSA
1Panel contains a cross-site request forgery (CSRF) vulnerability in the Change Username functionality
ghsa·2025-12-10
CVE-2025-34410 [HIGH] CWE-352 1Panel contains a cross-site request forgery (CSRF) vulnerability in the Change Username functionality
1Panel contains a cross-site request forgery (CSRF) vulnerability in the Change Username functionality
1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim’s 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and deni
OSV
1Panel contains a cross-site request forgery (CSRF) vulnerability in the Change Username functionality
osv·2025-12-10
CVE-2025-34410 [HIGH] 1Panel contains a cross-site request forgery (CSRF) vulnerability in the Change Username functionality
1Panel contains a cross-site request forgery (CSRF) vulnerability in the Change Username functionality
1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim’s 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and deni
Microsoft
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configure
vendor_msrc·2023-06-13·CVSS 5.3
CVE-2023-34410 [MEDIUM] CWE-295 An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configure
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, w
No detection rules found.
No public exploits indexed.
2025-12-10
Published