cvelist/2024/3xxx/CVE-2024-3799.json

{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2024-3799",
        "ASSIGNER": "cvd@cert.pl",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "Insecure handling of POST header parameter body\u00a0included in requests being sent to an instance of the open-source project\u00a0Phoniebox allows an attacker to create a website, which \u2013 when visited by a user \u2013 will send\u00a0malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause a\u00a0shell command execution.\n\n\nThis issue affects Phoniebox in all releases through 2.7. Newer 2.x releases were not tested, but they might also be vulnerable. \nPhoniebox in version 3.0 and higher are not affected."
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                        "cweId": "CWE-78"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Phoniebox",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Phoniebox",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_value": "not down converted",
                                            "x_cve_json_5_version_data": {
                                                "versions": [
                                                    {
                                                        "lessThanOrEqual": "2.7",
                                                        "status": "affected",
                                                        "version": "0",
                                                        "versionType": "semver"
                                                    },
                                                    {
                                                        "lessThanOrEqual": "*",
                                                        "status": "unaffected",
                                                        "version": "3.0",
                                                        "versionType": "semver"
                                                    }
                                                ],
                                                "defaultStatus": "unknown"
                                            }
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://cert.pl/en/posts/2024/07/CVE-2024-3798",
                "refsource": "MISC",
                "name": "https://cert.pl/en/posts/2024/07/CVE-2024-3798"
            },
            {
                "url": "https://cert.pl/posts/2024/07/CVE-2024-3798",
                "refsource": "MISC",
                "name": "https://cert.pl/posts/2024/07/CVE-2024-3798"
            },
            {
                "url": "https://github.com/MiczFlor/RPi-Jukebox-RFID/issues/2342",
                "refsource": "MISC",
                "name": "https://github.com/MiczFlor/RPi-Jukebox-RFID/issues/2342"
            }
        ]
    },
    "generator": {
        "engine": "Vulnogram 0.2.0"
    },
    "source": {
        "discovery": "UNKNOWN"
    }
}
"-Synchronized-Data." 2024-04-15 11:00:32 +00:00			`{`
"-Synchronized-Data." 2024-07-10 12:00:37 +00:00			`"data_version": "4.0",`
"-Synchronized-Data." 2024-04-15 11:00:32 +00:00			`"data_type": "CVE",`
			`"data_format": "MITRE",`
			`"CVE_data_meta": {`
			`"ID": "CVE-2024-3799",`
"-Synchronized-Data." 2024-07-10 12:00:37 +00:00			`"ASSIGNER": "cvd@cert.pl",`
			`"STATE": "PUBLIC"`
"-Synchronized-Data." 2024-04-15 11:00:32 +00:00			`},`
			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
"-Synchronized-Data." 2024-07-12 10:00:34 +00:00			"value": "Insecure handling of POST header parameter body\u00a0included in requests being sent to an instance of the open-source project\u00a0Phoniebox allows an attacker to create a website, which \u2013 when visited by a user \u2013 will send\u00a0malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause a\u00a0shell command execution.\n\n\nThis issue affects Phoniebox in all releases through 2.7. Newer 2.x releases were not tested, but they might also be vulnerable. \nPhoniebox in version 3.0 and higher are not affected."
"-Synchronized-Data." 2024-07-10 12:00:37 +00:00			`}`
			`]`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",`
			`"cweId": "CWE-78"`
			`}`
			`]`
"-Synchronized-Data." 2024-04-15 11:00:32 +00:00			`}`
			`]`
"-Synchronized-Data." 2024-07-10 12:00:37 +00:00			`},`
			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"vendor_name": "Phoniebox",`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "Phoniebox",`
			`"version": {`
			`"version_data": [`
			`{`
"-Synchronized-Data." 2024-07-12 10:00:34 +00:00			`"version_value": "not down converted",`
			`"x_cve_json_5_version_data": {`
			`"versions": [`
			`{`
			`"lessThanOrEqual": "2.7",`
			`"status": "affected",`
			`"version": "0",`
			`"versionType": "semver"`
			`},`
			`{`
			`"lessThanOrEqual": "*",`
			`"status": "unaffected",`
			`"version": "3.0",`
			`"versionType": "semver"`
			`}`
			`],`
			`"defaultStatus": "unknown"`
			`}`
"-Synchronized-Data." 2024-07-10 12:00:37 +00:00			`}`
			`]`
			`}`
			`}`
			`]`
			`}`
			`}`
			`]`
			`}`
			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"url": "https://cert.pl/en/posts/2024/07/CVE-2024-3798",`
			`"refsource": "MISC",`
			`"name": "https://cert.pl/en/posts/2024/07/CVE-2024-3798"`
			`},`
			`{`
			`"url": "https://cert.pl/posts/2024/07/CVE-2024-3798",`
			`"refsource": "MISC",`
			`"name": "https://cert.pl/posts/2024/07/CVE-2024-3798"`
			`},`
			`{`
			`"url": "https://github.com/MiczFlor/RPi-Jukebox-RFID/issues/2342",`
			`"refsource": "MISC",`
			`"name": "https://github.com/MiczFlor/RPi-Jukebox-RFID/issues/2342"`
			`}`
			`]`
			`},`
			`"generator": {`
			`"engine": "Vulnogram 0.2.0"`
			`},`
			`"source": {`
			`"discovery": "UNKNOWN"`
"-Synchronized-Data." 2024-04-15 11:00:32 +00:00			`}`
			`}`