{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8684", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-09-11T08:12:14.979Z", "datePublished": "2025-02-10T12:45:35.339Z", "dateUpdated": "2025-02-12T15:43:30.941Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Revolution Pi", "vendor": "KUNBUS GmbH", "versions": [{"status": "affected", "version": "2022-07-28-revpi-buster version"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ethan Shackelford"}], "datePublic": "2025-02-10T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "OS Command Injection vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to execute OS commands on the device via the \u2018php/dal.php\u2019 endpoint, in the \u2018arrSaveConfig\u2019 parameter."}], "value": "OS Command Injection vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to execute OS commands on the device via the \u2018php/dal.php\u2019 endpoint, in the \u2018arrSaveConfig\u2019 parameter."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2025-02-10T12:45:35.339Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-kunbus-gmbhs-revolution-pi"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The command injection vulnerability has been fixed by the KUNBUS team in the Revolution Pi webstatus 2.4.2 release. Path Traversal vulnerability has been fixed by the KUNBUS team in Revolution Pi pictory 2.1.1."}], "value": "The command injection vulnerability has been fixed by the KUNBUS team in the Revolution Pi webstatus 2.4.2 release. Path Traversal vulnerability has been fixed by the KUNBUS team in Revolution Pi pictory 2.1.1."}], "source": {"discovery": "EXTERNAL"}, "title": "OS Command Injection vulnerability in Revolution Pi", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-10T13:22:11.180211Z", "id": "CVE-2024-8684", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T15:43:30.941Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OS Command Injection vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to execute OS commands on the device via the \u2018php/dal.php\u2019 endpoint, in the \u2018arrSaveConfig\u2019 parameter."}], "id": "CVE-2024-8684", "lastModified": "2025-02-10T13:15:26.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2025-02-10T13:15:26.103", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-kunbus-gmbhs-revolution-pi"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}

{}

{}