CVE-2024-3346

Published: Apr 5, 2024Modified: Nov 21, 2024

6.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Exploitability: 2.8 / Impact: 3.4

Source: CNA (Secondary)

Description

A vulnerability was found in Byzoro Smart S80 up to 20240328. It has been declared as critical. This vulnerability affects unknown code of the file /log/webmailattach.php. The manipulation of the argument mail_file_path leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-259450 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (8)

https://github.com/Yu1e/vuls/blob/main/Byzro%20Networks%20Smart%20S80%20management%20platform%20has%20rce%20vulnerability.md

Source: cna@vuldb.com

https://vuldb.com/?ctiid.259450

Source: cna@vuldb.com

https://vuldb.com/?id.259450

Source: cna@vuldb.com

https://vuldb.com/?submit.306277

Source: cna@vuldb.com

https://github.com/Yu1e/vuls/blob/main/Byzro%20Networks%20Smart%20S80%20management%20platform%20has%20rce%20vulnerability.md

Source: af854a3a-2127-422b-91ae-364da2661108

https://vuldb.com/?ctiid.259450

Source: af854a3a-2127-422b-91ae-364da2661108

https://vuldb.com/?id.259450

Source: af854a3a-2127-422b-91ae-364da2661108

https://vuldb.com/?submit.306277

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.