CVE-2024-34852

{"id": "CVE-2024-34852", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2024-05-28T17:15:10.303", "references": [{"url": "https://github.com/Yang-Nankai/Vulnerabilities/blob/main/DataCube3%20Shell%20Code%20Injection.md", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "F-logic DataCube3 v1.0 is affected by command injection due to improper string filtering at the command execution point in the ./admin/transceiver_schedule.php file. An unauthenticated remote attacker can exploit this vulnerability by sending a file name containing command injection. Successful exploitation of this vulnerability may allow the attacker to execute system commands."}, {"lang": "es", "value": "F-logic DataCube3 v1.0 se ve afectado por la inyecci\u00f3n de comandos debido a un filtrado inadecuado de cadenas en el punto de ejecuci\u00f3n del comando en el archivo ./admin/transceiver_schedule.php. Un atacante remoto no autenticado puede aprovechar esta vulnerabilidad enviando un nombre de archivo que contenga una inyecci\u00f3n de comando. La explotaci\u00f3n exitosa de esta vulnerabilidad puede permitir al atacante ejecutar comandos del sistema."}], "lastModified": "2024-07-03T02:00:50.907", "sourceIdentifier": "cve@mitre.org"}