PT-2025-6038 · Unknown · Revolution Pi

Ethan Shackelford

Published

2025-02-10

Updated

2025-02-14

CVE-2024-8684

CVSS v3.1

8.3

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Name of the Vulnerable Software and Affected Versions Revolution Pi version 2022-07-28-revpi-buster

Description This issue allows an authenticated attacker to execute OS commands on the device via the 'php/dal.php' endpoint, in the arrSaveConfig parameter.

Recommendations For Revolution Pi version 2022-07-28-revpi-buster, as a temporary workaround, consider disabling access to the 'php/dal.php' endpoint or restricting the use of the arrSaveConfig parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2024-8684

Affected Products

Revolution Pi

PT-2025-6038 · Unknown · Revolution Pi

CVE-2024-8684

Weakness Enumeration

Related Identifiers

Affected Products

References · 8