An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msg_events.php" script as the www-data user. The HTTP GET parameter "data" is not properly sanitized.
History

Wed, 11 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 10 Dec 2024 07:45:00 +0000

Type Values Removed Values Added
Description An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msg_events.php" script as the www-data user. The HTTP GET parameter "data" is not properly sanitized.
Title OS Command Injection
Weaknesses CWE-78
References

cve-icon MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published: 2024-12-10T07:35:06.842Z

Updated: 2024-12-11T16:59:50.646Z

Reserved: 2024-03-05T09:15:40.201Z

Link: CVE-2024-28138

cve-icon Vulnrichment

Updated: 2024-12-11T16:59:44.557Z

cve-icon NVD

Status : Received

Published: 2024-12-10T08:15:18.943

Modified: 2024-12-11T17:15:14.827

Link: CVE-2024-28138

cve-icon Redhat

No data.