Описание
URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/http_endpoints/http_system.py" is subsequently passed to the "os.system" function in "cbpi/controller/system_controller.py" without prior validation allowing to execute arbitrary code.This issue affects CraftBeerPi 4: from 4.0.0.58 (commit 563fae9) before 4.4.1.a1 (commit 57572c7).
EPSS
Процентиль: 57%
0.00354
Низкий
9.8 Critical
CVSS3
Дефекты
CWE-94
Связанные уязвимости
EPSS
Процентиль: 57%
0.00354
Низкий
9.8 Critical
CVSS3
Дефекты
CWE-94