CVE-2024-47946
Dec. 10, 2024, 8:15 a.m.
Tags
Product(s) Impacted
UNKNOWN
Description
If the attacker has access to a valid Poweruser session, remote code execution is possible because specially crafted valid PNG files with injected PHP content can be uploaded as desktop backgrounds or lock screens. After the upload, the PHP script is available in the web root. The PHP code executes once the uploaded file is accessed. This allows the execution of arbitrary PHP code and OS commands on the device as "www-data".
Weaknesses
CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
CWE ID: 434Date
Published: Dec. 10, 2024, 8:15 a.m.
Last Modified: Dec. 10, 2024, 8:15 a.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
551230f0-3615-47bd-b7cc-93e92e730bbf