Advisories for Golang/Github.com/1Panel-Dev/1Panel/Core package

A CAPTCHA bypass vulnerability in the 1Panel authentication API allows an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections could be bypassed, enabling automated login attempts and significantly increasing the risk of account takeover (ATO).

First, we introduce the concepts of 1panel v2 Core and Agent. After the new version is released, 1panel adds the node management function, which allows you to control other hosts by adding nodes. The HTTPS protocol used for communication between the Core and Agent sides did not fully verify the authenticity of the certificate during certificate verification, resulting in unauthorized interfaces. The presence of a large number of command execution …