CVE-2024-39907 a sqlinjection in 1Panel

2024-07-1815:31:30

CWE-89

GitHub_M

www.cve.org

1panel

linux server

sql injection

arbitrary file writes

rce

upgrade

version 1.10.12-tls

security

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.006

Percentile

79.5%

JSON

1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.

CNA Affected

[
  {
    "vendor": "1Panel-dev",
    "product": "1Panel",
    "versions": [
      {
        "version": ">= 1.10.9-tls, < 1.10.12-tls",
        "status": "affected"
      }
    ]
  }
]