{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8684", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-09-11T08:12:14.979Z", "datePublished": "2025-02-10T12:45:35.339Z", "dateUpdated": "2025-02-12T15:43:30.941Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Revolution Pi", "vendor": "KUNBUS GmbH", "versions": [{"status": "affected", "version": "2022-07-28-revpi-buster version"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ethan Shackelford"}], "datePublic": "2025-02-10T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "OS Command Injection vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to execute OS commands on the device via the \u2018php/dal.php\u2019 endpoint, in the \u2018arrSaveConfig\u2019 parameter."}], "value": "OS Command Injection vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to execute OS commands on the device via the \u2018php/dal.php\u2019 endpoint, in the \u2018arrSaveConfig\u2019 parameter."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2025-02-10T12:45:35.339Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-kunbus-gmbhs-revolution-pi"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The command injection vulnerability has been fixed by the KUNBUS team in the Revolution Pi webstatus 2.4.2 release. Path Traversal vulnerability has been fixed by the KUNBUS team in Revolution Pi pictory 2.1.1."}], "value": "The command injection vulnerability has been fixed by the KUNBUS team in the Revolution Pi webstatus 2.4.2 release. Path Traversal vulnerability has been fixed by the KUNBUS team in Revolution Pi pictory 2.1.1."}], "source": {"discovery": "EXTERNAL"}, "title": "OS Command Injection vulnerability in Revolution Pi", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-10T13:22:11.180211Z", "id": "CVE-2024-8684", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T15:43:30.941Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OS Command Injection vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to execute OS commands on the device via the \u2018php/dal.php\u2019 endpoint, in the \u2018arrSaveConfig\u2019 parameter."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en Revolution Pi versi\u00f3n 2022-07-28-revpi-buster de KUNBUS GmbH. Esta vulnerabilidad podr\u00eda permitir que un atacante autenticado ejecute comandos del sistema operativo en el dispositivo a trav\u00e9s del endpoint 'php/dal.php', en el par\u00e1metro 'arrSaveConfig'."}], "id": "CVE-2024-8684", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2025-02-10T13:15:26.103", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-kunbus-gmbhs-revolution-pi"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}

{}

{}