CVE-2024-39907
a sqlinjection in 1Panel
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.
1Panel es un panel de control de gestión de servidores Linux basado en web. Hay muchas inyecciones de SQL en el proyecto y algunas de ellas no están bien filtradas, lo que provoca escrituras de archivos arbitrarias y, en última instancia, conduce a RCE. Estas inyecciones de SQL se resolvieron en la versión 1.10.12-tls. Se recomienda a los usuarios que actualicen. No se conocen workarounds para estos problemas.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-07-02 CVE Reserved
- 2024-07-18 CVE Published
- 2024-08-02 CVE Updated
- 2024-09-22 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| 1Panel-dev Search vendor "1Panel-dev" | 1Panel Search vendor "1Panel-dev" for product "1Panel" | >= 1.10.9 < 1.10.12 Search vendor "1Panel-dev" for product "1Panel" and version " >= 1.10.9 < 1.10.12" | en |
Affected
| ||||||