What is CVE-2024-39907?

CVE-2024-39907 is a critical-severity vulnerability in 1panel-dev 1panel, classified under SQL Injection. CVSS score: 9.8/10. Published 2024-07-18.

How severe is CVE-2024-39907?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2024-39907 known to be exploited?

5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

SQL Injection in 1panel-dev 1panel

CVE-2024-39907

1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have…

Vulnerability class: SQL Injection

EPSS: 0.842 (99.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

1panel-dev 1panel — versions >= 1.10.9-tls, < 1.10.12-tls

Weakness classification (CWE)

CWE-89 — SQL Injection

Public proof-of-concept exploits

References

https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2024-39907?: CVE-2024-39907 is a critical-severity vulnerability in 1panel-dev 1panel, classified under SQL Injection. CVSS score: 9.8/10. Published 2024-07-18.
How severe is CVE-2024-39907?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2024-39907 known to be exploited?: 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.