An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msg_events.php" script as the www-data user. The HTTP GET parameter "data" is not properly sanitized.
Metrics
Affected Vendors & Products
References
History
Wed, 11 Dec 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
Tue, 10 Dec 2024 07:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msg_events.php" script as the www-data user. The HTTP GET parameter "data" is not properly sanitized. | |
Title | OS Command Injection | |
Weaknesses | CWE-78 | |
References |
|
MITRE
Status: PUBLISHED
Assigner: SEC-VLab
Published: 2024-12-10T07:35:06.842Z
Updated: 2024-12-11T16:59:50.646Z
Reserved: 2024-03-05T09:15:40.201Z
Link: CVE-2024-28138
Vulnrichment
Updated: 2024-12-11T16:59:44.557Z
NVD
Status : Received
Published: 2024-12-10T08:15:18.943
Modified: 2024-12-11T17:15:14.827
Link: CVE-2024-28138
Redhat
No data.