CRITICAL🇵🇱 Wersja polska

CVE-2024-39907

CVSS 9.8v3.1pub. 2024-07-18upd. 2024-11-21

1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.

🤖 AI Analysis
How it works

An attacker can remotely, without any authentication, submit crafted SQL queries to vulnerable endpoints of the 1Panel application. Due to insufficient input filtering, it is possible to execute SQL injection, which allows writing arbitrary files to the server's file system. By writing malicious executable files or scripts, an attacker can achieve full system takeover (RCE).

Impact

An attacker can gain full control over the system — compromising confidentiality, integrity, and availability of data — through remote execution of arbitrary code on the server without requiring any privileges.

Mitigation & patch

1Panel should be updated to version 1.10.12-tls or newer, which includes fixes for the described SQL injection vulnerabilities. The vendor does not indicate any workarounds for these vulnerabilities.

Who is affected

Fit2Cloud 1Panel — all versions before 1.10.12-tls

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fit2cloud 1panel

    APP
    Fit2Cloud
    1.10.9-lts – 1.10.12-lts (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2024-39911CRITICAL10.0PL ✓ten sam produkt

SQL Injection przez nagłówek User-Agent w Fit2Cloud 1Panel

CVE-2025-34410HIGH7.0ten sam produkt

1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Usern...

CVE-2025-34429HIGH7.0ten sam produkt

1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the web port con...

CVE-2025-66507HIGH7.5ten sam produkt

1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow...

CVE-2025-56413HIGH8.8ten sam produkt

OS Command injection vulnerability in function OperateSSH in 1panel 2.0.8 allowing attackers to execute arbitr...