CVE-2024-24768 MEDIUM

CVE-2024-24768: 1Panel set-cookie is missing the Secure keyword

Vendor 1Panel-Dev
Product 1Panel
Weakness CWE-315
Published February 5, 2024
Last update June 17, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

1Panel is an open source Linux server operation and maintenance management panel. The HTTPS cookie that comes with the panel does not have the Secure keyword, which may cause the cookie to be sent in plain text if accessed using HTTP. This issue has been patched in version 1.9.6.

Key dates

02Disclosure timeline

February 5, 2024 CVE published
June 17, 2025 Record updated