CVE-2024-47946

Published: Dec 10, 2024Modified: Nov 3, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

If the attacker has access to a valid Poweruser session, remote code execution is possible because specially crafted valid PNG files with injected PHP content can be uploaded as desktop backgrounds or lock screens. After the upload, the PHP script is available in the web root. The PHP code executes once the uploaded file is accessed. This allows the execution of arbitrary PHP code and OS commands on the device as "www-data".

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (3)

https://r.sec-consult.com/imageaccess

Source: 551230f0-3615-47bd-b7cc-93e92e730bbf

https://www.imageaccess.de/?page=SupportPortal&lang=en

Source: 551230f0-3615-47bd-b7cc-93e92e730bbf

http://seclists.org/fulldisclosure/2024/Dec/2

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.