cbcvebase.
CVE-2024-39907
published 2024-07-18

CVE-2024-39907: 1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
29.40%
97.9th percentile
1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.

Affected

3 ranges
VendorProductVersion rangeFixed in
1panel-dev1panel
fit2cloud1panel>= 1.10.9-lts < 1.10.12-lts1.10.12-lts
github.com1panel-dev_1panel>= 0 < 1.10.12-tls1.10.12-tls

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/auth/login
url/api/v1/hosts/command/search
command3;ATTACH DATABASE '/tmp/{{randstr}}.txt' AS test;create TABLE test.exp (data text);create TABLE test.exp (data text);drop table test.exp;
path/tmp/*.txt
  • Exploit traffic targets POST /api/v1/hosts/command/search with a SQL-injected 'orderBy' field containing SQLite ATTACH DATABASE payload; detect the string 'ATTACH DATABASE' in the request body to this endpoint.
  • Successful exploitation produces a response body containing both 'SQL logic error' and 'table exp already exists'; monitor application responses for this combination as a post-exploitation indicator.
  • Authentication to 1Panel uses a custom HTTP header 'EntranceCode' with the static base64 value 'ZW50cmFuY2U='; presence of this header in login requests can fingerprint 1Panel instances and attacker tooling.
  • 1Panel instances can be fingerprinted via FOFA using icon hashes or TLS certificate CN; use these to identify exposed attack surface.
  • The login endpoint accepts JSON with 'ignoreCaptcha':true and 'authMethod':'session'; automated exploit tools will consistently send these fields — use them as a detection signal on the /api/v1/auth/login endpoint.
  • ·The vulnerability requires authentication (valid session cookie 'psession' must be present from a prior login); exploitation is a two-step HTTP sequence: login first, then inject via the search endpoint.
  • ·The SQL injection payload leverages SQLite's ATTACH DATABASE to write arbitrary files to /tmp on the server; the written filename is randomised per request, so file-based IOCs should use the /tmp/*.txt pattern rather than a fixed name.
  • ·The CVSS score of 9.8 (PR:N) in the template metadata conflicts with the 'Authenticated' classification; the NVD entry and template both note authentication is required, so the PR:N score may be inaccurate — treat this as an authenticated critical vulnerability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.