216.73.216.75

CVE-2024-47946

· Published 10/12/2024 08:15 · Modified 20/12/2024 21:15

Labels: CVE-2024-47946 2024-12-10551230f0-3615-47bd-b7cc-93e92e730bbfCVE-2024-47946CWE-434

Essential information

Published
10/12/2024 08:15
Modified
20/12/2024 21:15
Author
Creator
CVSS
7.2 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

If the attacker has access to a valid Poweruser session, remote code execution is possible because specially crafted valid PNG files with injected PHP content can be uploaded as desktop backgrounds or lock screens. After the upload, the PHP script is available in the web root. The PHP code executes once the uploaded file is accessed. This allows the execution of arbitrary PHP code and OS commands on the device as "www-data".

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
551230f0-3615-47bd-b7cc-93e92e730bbf
NVD
View on NVD

References