CVE-2024-3798
CVSS V2 None
CVSS V3 None
Description
Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause one of the following (depending on the chosen payload): shell command execution, reflected XSS or cross-site request forgery.
This issue affects Phoniebox in all releases through 2.7. Newer releases were not tested, but they might also be vulnerable.
Overview
- CVE ID
- CVE-2024-3798
- Assigner
- CERT-PL
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-07-10T11:59:10.637Z
- Last Modified Date
- 2024-07-10T14:46:29.447Z
References
Reference URL | Reference Tags |
---|---|
https://cert.pl/en/posts/2024/07/CVE-2024-3798 | third-party-advisory |
https://cert.pl/posts/2024/07/CVE-2024-3798 | third-party-advisory |
https://github.com/MiczFlor/RPi-Jukebox-RFID/issues/2342 | issue-tracking |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-3798 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3798 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-07-11 13:02:39 | Added to TrackCVE |