2 matches found
PYSEC-2026-308 CraftBeerPi 4 allows arbitrary code execution
URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/httpendpoints/httpsystem.py" is subsequently passed to the "os.system" function in "cbpi/controller/systemcontroller.py" without prior validation allowing arbitrary code execution. This issue affects CraftBeerPi 4:...
PT-2024-28526
Name of the Vulnerable Software and Affected Versions CraftBeerPi 4 versions 4.0.0.58 through 4.4.1.a1 Description The issue arises from the URL GET parameter logtime being utilized within the "downloadlog" function from "cbpi/http endpoints/http system.py". This parameter is subsequently passed ...