CVE-2024-28138

Name of the Vulnerable Software and Affected Versions Image Access Scan2Net versions (affected versions not specified)

Description An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msg events.php" script as the www-data user. The HTTP GET parameter data is not properly sanitized. This allows an attacker to inject arbitrary code on the target system.

Recommendations As a temporary workaround, consider disabling the "msg events.php" script until a patch is available. Restrict access to the data parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.