Pondzik

**Name of the Vulnerable Software and Affected Versions** CraftBeerPi 4 versions 4.0.0.58 through 4.4.1.a1 **Description** The issue arises from the URL GET parameter `logtime` being utilized within the "downloadlog" function from "cbpi/http endpoints/http system.py". This parameter is subsequently passed to the `os.system` function in "cbpi/controller/system controller.py" without prior validation, allowing for the execution of arbitrary code. **Recommendations** For CraftBeerPi 4 versions 4.0.0.58 through 4.4.1.a1, update to a version after 4.4.1.a1 to resolve the issue. As a temporary workaround, consider disabling the `downloadlog` function until a patch is available. Restrict access to the `os.system` function to minimize the risk of exploitation. Avoid using the `logtime` parameter in the affected API endpoint until the issue is resolved.