CVE-2024-3798
HIGHPhoniebox <=2.7 - Command Execution via file GET Parameter
Title source: manualDescription
Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause one of the following (depending on the chosen payload): shell command execution, reflected XSS or cross-site request forgery. This issue affects Phoniebox in all releases through 2.7. Newer 2.x releases were not tested, but they might also be vulnerable. Phoniebox in version 3.0 and higher are not affected.
References (3)
Core 3
Core References
Various Sources third-party-advisory
https://cert.pl/en/posts/2024/07/CVE-2024-3798
Various Sources third-party-advisory
https://cert.pl/posts/2024/07/CVE-2024-3798
Issue Tracking issue-tracking
https://github.com/MiczFlor/RPi-Jukebox-RFID/issues/2342
Scores
CVSS v4
8.7
EPSS
0.0048
EPSS Percentile
37.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-352
CWE-78
CWE-79
Status
published
Products (2)
Phoniebox/Phoniebox
< 2.7
Phoniebox/Phoniebox
3.0
Published
Jul 10, 2024
Tracked Since
Feb 18, 2026