| CVE ID | CVE-2024-3798 |
| Publication date | 10 July 2024 |
| Vendor | Phoniebox |
| Product | Phoniebox |
| Vulnerable versions | All through 2.7 |
| Vulnerability type (CWE) | Cross-Site Request Forgery (CSRF) (CWE-352) |
| Report source | Own research |
| CVE ID | CVE-2024-3799 |
| Publication date | 10 July 2024 |
| Vendor | Phoniebox |
| Product | Phoniebox |
| Vulnerable versions | All through 2.7 |
| Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) |
| Report source | Own research |
Description
During its own research, CERT Polska has found several weaknesses in Phoniebox open-source project.
Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause one of the following (depending on the chosen payload): shell command execution, reflected XSS or cross-site request forgery. This vulnerability has been assigned CVE-2024-3798.
Insecure handling of POST header parameter body included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause a shell command execution. This vulnerability has been assigned CVE-2024-3799.
This issue affects Phoniebox in all releases through 2.7. Newer releases were not tested, but they might also be vulnerable. A Github issue has been created to address these vulnerabilities.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.