CVE-2024-30257
CVE-2024-30257 is a low-severity vulnerability in Fit2cloud 1panel with a CVSS 3.x base score of 3.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-203.
Key facts
- Severity: Low (CVSS 3.x base score 3.9)
- EPSS exploit prediction: 0% (30th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-1127
- Weakness: CWE-203
- Affected product: Fit2cloud 1panel
- Published:
- Last modified:
Description
1Panel is an open source Linux server operation and maintenance management panel. The password verification in the source code uses the != symbol instead hmac.Equal. This may lead to a timing attack vulnerability. This vulnerability is fixed in 1.10.3-lts.
Frequently asked questions
- What is CVE-2024-30257?
- 1Panel is an open source Linux server operation and maintenance management panel. The password verification in the source code uses the != symbol instead hmac.Equal. This may lead to a timing attack vulnerability. This vulnerability is fixed in 1.10.3-lts.
- How severe is CVE-2024-30257?
- CVE-2024-30257 has a CVSS 3.x base score of 3.9, rated low severity. It is exploitable over network with high attack complexity, requires high privileges and user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2024-30257 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (30th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-30257?
- CVE-2024-30257 affects Fit2cloud 1panel. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-30257?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-30257 have an EU (EUVD) identifier?
- Yes. CVE-2024-30257 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-1127.
- When was CVE-2024-30257 published?
- CVE-2024-30257 was published on 2024-04-18 and last updated on 2026-06-17.
References
- https://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26
- https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-6m9h-2pr2-9j8f
Affected products (1)
- cpe:2.3:a:fit2cloud:1panel:*:*:*:*:*:*:*:*
More vulnerabilities in Fit2cloud 1panel
- CVE-2024-39911 — Critical (CVSS 10.0): 1Panel is a web-based linux server management control panel. 1Panel contains an unspecified sql injection via…
- CVE-2024-39907 — Critical (CVSS 9.8): 1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of…
- CVE-2025-56413 — High (CVSS 8.8): OS Command injection vulnerability in function OperateSSH in 1panel 2.0.8 allowing attackers to execute arbitrary…
- CVE-2025-54424 — High (CVSS 8.1): 1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux…
- CVE-2025-66507 — High (CVSS 7.5): 1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an…
- CVE-2023-39966 — High (CVSS 7.5): 1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file…
All CVEs affecting Fit2cloud 1panel →
Other CWE-203 (Observable Discrepancy) vulnerabilities
- CVE-2019-25337 — Critical (CVSS 9.8): OwnCloud 8.1.8 contains a username enumeration vulnerability that allows remote attackers to discover user accounts by…
- CVE-2026-23519 — Critical (CVSS 9.8): RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in…
- CVE-2025-27667 — Critical (CVSS 9.8): Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Administrative…
- CVE-2024-25714 — Critical (CVSS 9.8): In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel…
- CVE-2024-25191 — Critical (CVSS 9.8): php-jwt 1.0.0 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass…
- CVE-2024-25190 — Critical (CVSS 9.8): l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify authentication, which makes it easier to bypass…
Browse all CWE-203 (Observable Discrepancy) vulnerabilities →