CVE-2024-39907 CRITICAL

CVE-2024-39907: a sqlinjection in 1Panel

Vendor 1Panel-Dev
Product 1Panel
Weakness CWE-89 · SQLi
Published July 18, 2024
Last update August 2, 2024

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.

Key dates

02Disclosure timeline

July 18, 2024 CVE published
August 2, 2024 Record updated