1 results (0.004 seconds)
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3955 – Arbitrary code execution in CraftBeerPi 4
https://notcve.org/view.php?id=CVE-2024-3955
02 May 2024 — URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/http_endpoints/http_system.py" is subsequently passed to the "os.system" function in "cbpi/controller/system_controller.py" without prior validation allowing to execute arbitrary code.This issue affects CraftBeerPi 4: from 4.0.0.58 (commit 563fae9) before 4.4.1.a1 (commit 57572c7). El parámetro GET de URL "logtime" utilizado dentro de la función "downloadlog" de "cbpi/http_endpoints/http_system.py" se pasa posteriormente a la ... • https://cert.pl/en/posts/2024/05/CVE-2024-3955 • CWE-94: Improper Control of Generation of Code ('Code Injection') •