Lukigruszka

**Name of the Vulnerable Software and Affected Versions** Phoniebox versions prior to 3.0 **Description** The issue is related to insecure handling of the `file` parameter in GET header requests sent to an instance of the open-source project Phoniebox. This allows an attacker to create a website that, when visited by a user, will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it can cause shell command execution, reflected XSS, or cross-site request forgery. **Recommendations** For Phoniebox versions prior to 3.0, update to version 3.0 or higher to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable `file` parameter in GET requests until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Phoniebox versions prior to 3.0 **Description** The issue is related to insecure handling of the `body` parameter in POST header requests sent to an instance of the Phoniebox open-source project. This allows an attacker to create a website that, when visited by a user, will send malicious requests to multiple hosts on the local network, potentially causing shell command execution. **Recommendations** For Phoniebox versions prior to 3.0, update to version 3.0 or higher to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable POST endpoint until a patch is available. Avoid using the `body` parameter in POST requests to the Phoniebox instance until the issue is resolved.