{"vulnerability": "CVE-2024-3990", "sightings": [{"uuid": "daf71c1e-eeb1-4f7b-850f-01b45b813ad0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39902", "type": "seen", "source": "https://t.me/cvedetector/1444", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39902 - Tuleap Unchecked Permission Checkbox Vuln\", \n  \"Content\": \"CVE ID : CVE-2024-39902 \nPublished : July 22, 2024, 2:15 p.m. | 33\u00a0minutes ago \nDescription : Tuleap is an open source suite to improve management of software developments and collaboration. Prior to Tuleap Community Edition 15.10.99.128 and Tuleap Enterprise Edition 15.10-6 and 15.9-8, the checkbox \"Apply same permissions to all sub-items of this folder\" in the document manager permissions modal is not taken into account and always considered as unchecked. In situations where the permissions are being restricted some users might still keep, incorrectly, the possibility to edit or manage items. Only change made via the web UI are affected, changes directly made via the REST API are not impacted. This vulnerability is fixed in Tuleap Community Edition 15.10.99.128 and Tuleap Enterprise Edition 15.10-6 and 15.9-8. \nSeverity: 4.8 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"22 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-22T16:59:34.000000Z"}, {"uuid": "491dab25-824f-47c5-98eb-a5096b0062ed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39908", "type": "seen", "source": "MISP/acd0294c-4561-4286-a04e-5c02a1c67b1f", "content": "", "creation_timestamp": "2025-09-15T13:28:31.000000Z"}, {"uuid": "d631309f-e5b4-4110-bc3a-0d6b07760180", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2024-3990", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mcbqf2fp3s2e", "content": "", "creation_timestamp": "2026-01-13T04:40:08.414004Z"}, {"uuid": "9cdc0d28-3b0e-4b47-8951-e690235532a4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39908", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/9512", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01 \n\n\u66f4\u65b0\u4e86\uff1aCVE-2024\n\u63cf\u8ff0\uff1aCVE-2024-39908 full poc\nURL\uff1ahttps://github.com/SpiralBL0CK/CVE-2024-39908\n\n\u6807\u7b7e\uff1a#CVE-2024", "creation_timestamp": "2024-12-19T19:01:18.000000Z"}, {"uuid": "407203f0-d71d-4b2f-a3c8-17852da695b8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39908", "type": "seen", "source": "MISP/acd0294c-4561-4286-a04e-5c02a1c67b1f", "content": "", "creation_timestamp": "2025-09-16T03:45:01.000000Z"}, {"uuid": "23e5b05e-a544-4bd3-a8e8-b99094b6a5b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39900", "type": "seen", "source": "https://t.me/cvedetector/478", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39900 - OpenSearch Dashboards Reports allows \u2018Report Owner\", \n  \"Content\": \"CVE ID : CVE-2024-39900 \nPublished : July 9, 2024, 10:15 p.m. | 28\u00a0minutes ago \nDescription : OpenSearch Dashboards Reports allows \u2018Report Owner\u2019 export and share reports from OpenSearch Dashboards. An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14. \nSeverity: 5.4 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"10 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-10T00:52:10.000000Z"}, {"uuid": "42220631-e741-45bc-a7e4-abe48d02e944", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39909", "type": "seen", "source": "https://t.me/cvedetector/762", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39909 - KubeClarity is a tool for detection and management\", \n  \"Content\": \"CVE ID : CVE-2024-39909 \nPublished : July 12, 2024, 3:15 p.m. | 20\u00a0minutes ago \nDescription : KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. A time/boolean SQL Injection is present in the following resource `/api/applicationResources` via the following parameter `packageID`. As it can be seen in backend/pkg/database/id_view.go, while building the SQL Query the `fmt.Sprintf` function is used to build the query string without the input having first been subjected to any validation. This vulnerability is fixed in 2.23.1. \nSeverity: 6.5 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"12 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-12T17:46:35.000000Z"}, {"uuid": "0f23a9ef-811b-4e14-82fc-6e8bc2aa2e39", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39903", "type": "seen", "source": "https://t.me/cvedetector/759", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39903 - Solara is a pure Python, React-style framework for\", \n  \"Content\": \"CVE ID : CVE-2024-39903 \nPublished : July 12, 2024, 3:15 p.m. | 20\u00a0minutes ago \nDescription : Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version Severity: 8.6 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"12 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-12T17:46:32.000000Z"}, {"uuid": "5e6edf42-beb5-418e-9af1-7742f2e164c1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39904", "type": "published-proof-of-concept", "source": "https://t.me/cvedetector/663", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39904 - VNote is a note-taking platform. Prior to 3.18.1,\", \n  \"Content\": \"CVE ID : CVE-2024-39904 \nPublished : July 11, 2024, 4:15 p.m. | 39\u00a0minutes ago \nDescription : VNote is a note-taking platform. Prior to 3.18.1, a code execution vulnerability existed in VNote, which allowed an attacker to execute arbitrary programs on the victim's system. A crafted URI can be used in a note to perform this attack using file:/// as a link. For example, file:///C:/WINDOWS/system32/cmd.exe. This allows attackers to execute arbitrary programs by embedding a reference to a local executable file such as file:///C:/WINDOWS/system32/cmd.exe and file:///C:/WINDOWS/system32/calc.exe. This vulnerability can be exploited by creating and sharing specially crafted notes. An attacker could send a crafted note file and perform further attacks. This vulnerability is fixed in 3.18.1. \nSeverity: 8.8 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"11 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-11T19:09:26.000000Z"}, {"uuid": "9277b382-d2ff-466d-9c8b-51320b84d5d4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39905", "type": "seen", "source": "https://t.me/cvedetector/662", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39905 - Red is a fully modular Discord bot. Due to a bug i\", \n  \"Content\": \"CVE ID : CVE-2024-39905 \nPublished : July 11, 2024, 4:15 p.m. | 39\u00a0minutes ago \nDescription : Red is a fully modular Discord bot. Due to a bug in Red's Core API, 3rd-party cogs using the `@commands.can_manage_channel()` command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of the core commands or core cogs are affected. The maintainers of the project are not aware of any _public_ 3rd-party cog utilizing this API at the time of writing this advisory. The problem was patched and released in version 3.5.10. \nSeverity: 5.3 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"11 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-11T19:09:26.000000Z"}, {"uuid": "ac4ea7dd-a773-4cf4-bb9e-91bf6660021a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39901", "type": "seen", "source": "https://t.me/cvedetector/477", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39901 - OpenSearch Observability is collection of plugins\", \n  \"Content\": \"CVE ID : CVE-2024-39901 \nPublished : July 9, 2024, 10:15 p.m. | 28\u00a0minutes ago \nDescription : OpenSearch Observability is collection of plugins and applications that visualize data-driven events. An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14. \nSeverity: 5.4 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"10 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-10T00:52:09.000000Z"}, {"uuid": "a0d59c65-9759-4dfc-8145-904ea583cbf6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39907", "type": "published-proof-of-concept", "source": "https://t.me/Kelvinseccommunity/592", "content": "#exploit\n1. CVE-2024-40348:\nUnauth directory traversal in Bazaar 1.4.3\nhttps://github.com/bigb0x/CVE-2024-40348\n\n2. CVE-2024-39907:\nSQLi in Linux 1Panel\nhttps://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6", "creation_timestamp": "2024-07-26T05:11:20.000000Z"}, {"uuid": "9cc26e41-aaf3-4417-9530-ede5b4181c67", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39906", "type": "seen", "source": "https://t.me/cvedetector/1235", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39906 - Haven Blog Ruby on Rails IndieAuth Command Injection Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-39906 \nPublished : July 19, 2024, 8:15 p.m. | 35\u00a0minutes ago \nDescription : A command injection vulnerability was found in the IndieAuth functionality of the Ruby on Rails based Haven blog web application. The affected functionality requires authentication, but an attacker can craft a link that they can pass to a logged in administrator of the blog software. This leads to the immediate execution of the provided commands when the link is accessed by the authenticated administrator. This issue may lead to Remote Code Execution (RCE) and has been addressed by commit `c52f07c`. Users are advised to upgrade. There are no known workarounds for this vulnerability. \nSeverity: 8.3 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"19 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-19T22:53:58.000000Z"}, {"uuid": "5bb7cf0d-48ad-497a-aeec-32722546b495", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39907", "type": "seen", "source": "https://t.me/cvedetector/1155", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39907 - Panel SQL Injection Vulnerability: RCE Through Unfiltered File Writes\", \n  \"Content\": \"CVE ID : CVE-2024-39907 \nPublished : July 18, 2024, 4:15 p.m. | 39\u00a0minutes ago \nDescription : 1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues. \nSeverity: 9.8 | CRITICAL \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"18 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-18T19:18:04.000000Z"}, {"uuid": "44506581-f628-4389-9707-d7e6c995df28", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39908", "type": "seen", "source": "https://t.me/cvedetector/988", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-39908 - Apache REXML XML Denial of Service Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-39908 \nPublished : July 16, 2024, 6:15 p.m. | 37\u00a0minutes ago \nDescription : REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as ``. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings. \nSeverity: 4.3 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"16 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-16T21:18:16.000000Z"}, {"uuid": "0deb8621-edfb-47a0-8ca4-17a79e5722c7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39907", "type": "published-proof-of-concept", "source": "https://t.me/CNArsenal/2834", "content": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6\n\ncve-2024-39907\n#github #poc", "creation_timestamp": "2024-07-23T17:20:16.000000Z"}, {"uuid": "9afa80fc-c96c-4754-bad7-3ba53e8d4942", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39907", "type": "published-proof-of-concept", "source": "https://t.me/HackingInsights/7005", "content": "\u200aCVE-2024-39907 (CVSS 9.8): SQLi Flaw Exposes 1Panel Users to Remote Takeover, PoC Published\n\nhttps://securityonline.info/cve-2024-39907-cvss-9-8-sqli-flaw-exposes-1panel-users-to-remote-takeover-poc-published/", "creation_timestamp": "2024-07-23T10:41:54.000000Z"}, {"uuid": "d8f273f2-1902-425b-971f-02854188ef6f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-39907", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/10884", "content": "#exploit\n1. CVE-2024-40348:\nUnauth directory traversal in Bazaar 1.4.3\nhttps://github.com/bigb0x/CVE-2024-40348\n\n2. CVE-2024-39907:\nSQLi in Linux 1Panel\nhttps://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6", "creation_timestamp": "2024-07-27T12:01:41.000000Z"}]}