Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Remote Command Injection in RaspberryMatic
Vulnerability Description
RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices. A Remote Code Execution (RCE) vulnerability in the file upload facility of the WebUI interface of RaspberryMatic exists. Missing input validation/sanitization in the file upload mechanism allows remote, unauthenticated attackers with network access to the WebUI interface to achieve arbitrary operating system command execution via shell metacharacters in the HTTP query string. Injected commands are executed as root, thus leading to a full compromise of the underlying system and all its components. Versions after `2.31.25.20180428` and prior to `3.63.8.20220330` are affected. Users are advised to update to version `3.63.8.20220330` or newer. There are currently no known workarounds to mitigate the security impact and users are advised to update to the latest version available.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
RaspberryMatic 操作系统命令注入漏洞
Vulnerability Description
RaspberryMatic是德国Jens Maus个人开发者的一种免费且非商业的开源操作系统替代方案。用于运行无云的智能家居物联网中心。 RaspberryMatic 存在操作系统命令注入漏洞,该漏洞源于缺少输入验证/清理以及使用危险的 CGI 功能。攻击者通过网络访问 WebUI 界面,通过 HTTP 查询字符串中的 shell 元字符执行任意操作系统命令。以下产品和版本受到影响:2.31.25.20180428 - 3.61.7.20220226。
CVSS Information
N/A
Vulnerability Type
N/A