NVD

Vulnerability Change Records for CVE-2024-3798

Action	Type	New Value
Added	CVSS V4.0	CERT.PL CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Added	CWE	CERT.PL CWE-352
Added	CWE	CERT.PL CWE-78
Added	CWE	CERT.PL CWE-79
Added	Description	Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause one of the following (depending on the chosen payload): shell command execution, reflected XSS or cross-site request forgery. This issue affects Phoniebox in all releases through 2.7. Newer releases were not tested, but they might also be vulnerable.
Added	Reference	CERT.PL https://cert.pl/en/posts/2024/07/CVE-2024-3798 [No types assigned]
Added	Reference	CERT.PL https://cert.pl/posts/2024/07/CVE-2024-3798 [No types assigned]
Added	Reference	CERT.PL https://github.com/MiczFlor/RPi-Jukebox-RFID/issues/2342 [No types assigned]