1Panel Stored Cross-Site Scripting Vulnerability in App Store Component

A stored Cross-Site Scripting (XSS) vulnerability has been identified in 1Panel, an open-source web-based control panel for Linux server management. This vulnerability exists in the 1Panel App Store when viewing application details, allowing malicious scripts to execute in the context of the user's browser. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. The issue arises from inadequate sanitization of content rendered by the MdEditor component with the 'previewOnly' attribute enabled. As a result, an attacker could publish a malicious application that executes arbitrary scripts when loaded by users, potentially leading to the theft of user cookies, unauthorized access to system functions, or other actions that compromise the system's confidentiality, integrity, and availability.

Impact

Exploitation of this vulnerability allows for stored Cross-Site Scripting, where injected scripts are executed in the context of the user's browser. This could lead to the theft of cookies, unauthorized access to system functions, or other actions that compromise the system's confidentiality, integrity, and availability.

Remediation

Users can upgrade to 1Panel v1.10.34-lts or v2.0.17, both of which include the necessary patch to address this vulnerability.