CVE-2024-3798

July 10, 2024, 12:15 p.m.

None
No Score

Description

Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause one of the following (depending on the chosen payload): shell command execution, reflected XSS or cross-site request forgery. This issue affects Phoniebox in all releases through 2.7. Newer releases were not tested, but they might also be vulnerable.

Product(s) Impacted

Product Versions
Phoniebox
  • <= 2.7

Weaknesses

CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://cert.pl/en/posts/2024/07/CVE-2024-3798
https://cert.pl/posts/2024/07/CVE-2024-3798
https://github.com/MiczFlor/RPi-Jukebox-RFID/issues/2342

Tags

cvd@cert.pl
CWE-352
2024-07-10
CVE-2024-3798

Date

  • Published: July 10, 2024, 12:15 p.m.
  • Last Modified: July 10, 2024, 12:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cvd@cert.pl

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.