Low severityNVD Advisory· Published Feb 5, 2024· Updated Jun 17, 2025
1Panel set-cookie is missing the Secure keyword
CVE-2024-24768
Description
1Panel is an open source Linux server operation and maintenance management panel. The HTTPS cookie that comes with the panel does not have the Secure keyword, which may cause the cookie to be sent in plain text if accessed using HTTP. This issue has been patched in version 1.9.6.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/1Panel-dev/1PanelGo | < 1.9.6 | 1.9.6 |
Affected products
1- Range: <= 1.9.5
Patches
11169648162c4feat: 面板开启 https 时,cookie 开启 secure 属性 (#3817)
2 files changed · +16 −2
backend/app/service/auth.go+10 −2 modified@@ -109,6 +109,10 @@ func (u *AuthService) generateSession(c *gin.Context, name, authMethod string) ( if err != nil { return nil, err } + httpsSetting, err := settingRepo.Get(settingRepo.WithByKey("SSL")) + if err != nil { + return nil, err + } lifeTime, err := strconv.Atoi(setting.Value) if err != nil { return nil, err @@ -129,7 +133,7 @@ func (u *AuthService) generateSession(c *gin.Context, name, authMethod string) ( sessionUser, err := global.SESSION.Get(sID) if err != nil { sID = uuid.New().String() - c.SetCookie(constant.SessionName, sID, 0, "", "", false, false) + c.SetCookie(constant.SessionName, sID, 0, "", "", httpsSetting.Value == "enable", false) err := global.SESSION.Set(sID, sessionUser, lifeTime) if err != nil { return nil, err @@ -144,9 +148,13 @@ func (u *AuthService) generateSession(c *gin.Context, name, authMethod string) ( } func (u *AuthService) LogOut(c *gin.Context) error { + httpsSetting, err := settingRepo.Get(settingRepo.WithByKey("SSL")) + if err != nil { + return err + } sID, _ := c.Cookie(constant.SessionName) if sID != "" { - c.SetCookie(constant.SessionName, sID, -1, "", "", false, false) + c.SetCookie(constant.SessionName, sID, -1, "", "", httpsSetting.Value == "enable", false) err := global.SESSION.Delete(sID) if err != nil { return err
backend/app/service/setting.go+6 −0 modified@@ -198,6 +198,9 @@ func (u *SettingService) UpdateSSL(c *gin.Context, req dto.SSLUpdate) error { } _ = os.Remove(path.Join(secretDir, "server.crt")) _ = os.Remove(path.Join(secretDir, "server.key")) + sID, _ := c.Cookie(constant.SessionName) + c.SetCookie(constant.SessionName, sID, 0, "", "", false, false) + go func() { _, err := cmd.Exec("systemctl restart 1panel.service") if err != nil { @@ -289,6 +292,9 @@ func (u *SettingService) UpdateSSL(c *gin.Context, req dto.SSLUpdate) error { if err := settingRepo.Update("SSL", req.SSL); err != nil { return err } + + sID, _ := c.Cookie(constant.SessionName) + c.SetCookie(constant.SessionName, sID, 0, "", "", true, false) go func() { time.Sleep(1 * time.Second) _, err := cmd.Exec("systemctl restart 1panel.service")
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9xfw-jjq2-7v8hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-24768ghsaADVISORY
- github.com/1Panel-dev/1Panel/commit/1169648162c4b9b48e0b4aa508f9dea4d6bc50d5ghsax_refsource_MISCWEB
- github.com/1Panel-dev/1Panel/pull/3817ghsax_refsource_MISCWEB
- github.com/1Panel-dev/1Panel/security/advisories/GHSA-9xfw-jjq2-7v8hghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.