### [CVE-2024-28138](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28138)
![](https://img.shields.io/static/v1?label=Product&message=Scan2Net&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-78%20Improper%20Neutralization%20of%20Special%20Elements%20used%20in%20an%20OS%20Command%20('OS%20Command%20Injection')&color=brightgreen)

### Description

An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msg_events.php" script as the www-data user. The HTTP GET parameter "data" is not properly sanitized.

### POC

#### Reference
- https://r.sec-consult.com/imageaccess

#### Github
No PoCs found on GitHub currently.