CVE-2024-34852
MEDIUMF-logic DataCube3 v1.0 - Unauthenticated Command Injection via transceiver_schedule.php File Name
Title source: llmDescription
F-logic DataCube3 v1.0 is affected by command injection due to improper string filtering at the command execution point in the ./admin/transceiver_schedule.php file. An unauthenticated remote attacker can exploit this vulnerability by sending a file name containing command injection. Successful exploitation of this vulnerability may allow the attacker to execute system commands.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://github.com/Yang-Nankai/Vulnerabilities/blob/main/DataCube3%20Shell%20Code%20Injection.md
Scores
CVSS v3
6.3
EPSS
0.0203
EPSS Percentile
84.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-77
Status
published
Products (1)
f-logic/datacube3_firmware
1.0
Published
May 28, 2024
Tracked Since
Feb 18, 2026