Insecure handling of POST header parameter body included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause a shell command execution. This issue affects Phoniebox in all releases through 2.7. Newer 2.x releases were not tested, but they might also be vulnerable. Phoniebox in version 3.0 and higher are not affected.
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
| Link | Tags |
|---|---|
| https://cert.pl/en/posts/2024/07/CVE-2024-3798 | third party advisory |
| https://cert.pl/posts/2024/07/CVE-2024-3798 | third party advisory |
| https://github.com/MiczFlor/RPi-Jukebox-RFID/issues/2342 | issue tracking |