3 matches found
PYSEC-2026-308 CraftBeerPi 4 allows arbitrary code execution
URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/httpendpoints/httpsystem.py" is subsequently passed to the "os.system" function in "cbpi/controller/systemcontroller.py" without prior validation allowing arbitrary code execution. This issue affects CraftBeerPi 4:...
Arbitrary Code Injection
cbpi4 is vulnerable to Arbitrary Code Injection. The vulnerability is due to lack of validation of the "logtime" URL parameter before passing it to the os.system function, which allows an attacker to execute arbitrary commands...
PT-2024-28526
Name of the Vulnerable Software and Affected Versions CraftBeerPi 4 versions 4.0.0.58 through 4.4.1.a1 Description The issue arises from the URL GET parameter logtime being utilized within the "downloadlog" function from "cbpi/http endpoints/http system.py". This parameter is subsequently passed ...