{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8685", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-09-11T08:12:15.875Z", "datePublished": "2025-02-10T12:46:27.511Z", "dateUpdated": "2025-02-12T15:44:16.709Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Revolution Pi", "vendor": "KUNBUS GmbH", "versions": [{"status": "affected", "version": "2022-07-28-revpi-buster version"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ehab Hussein"}], "datePublic": "2025-02-10T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Path-Traversal vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to list device directories via the \u2018/pictory/php/getFileList.php\u2019 endpoint in the \u2018dir\u2019 parameter."}], "value": "Path-Traversal vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to list device directories via the \u2018/pictory/php/getFileList.php\u2019 endpoint in the \u2018dir\u2019 parameter."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2025-02-10T12:46:27.511Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-kunbus-gmbhs-revolution-pi"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The command injection vulnerability has been fixed by the KUNBUS team in the Revolution Pi webstatus 2.4.2 release. Path Traversal vulnerability has been fixed by the KUNBUS team in Revolution Pi pictory 2.1.1."}], "value": "The command injection vulnerability has been fixed by the KUNBUS team in the Revolution Pi webstatus 2.4.2 release. Path Traversal vulnerability has been fixed by the KUNBUS team in Revolution Pi pictory 2.1.1."}], "source": {"discovery": "EXTERNAL"}, "title": "Path-Traversal vulnerability in Revolution Pi", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-10T13:20:24.873787Z", "id": "CVE-2024-8685", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T15:44:16.709Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8685", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-09-11T08:12:15.875Z", "datePublished": "2025-02-10T12:46:27.511Z", "dateUpdated": "2025-02-12T15:44:16.709Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Revolution Pi", "vendor": "KUNBUS GmbH", "versions": [{"status": "affected", "version": "2022-07-28-revpi-buster version"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ehab Hussein"}], "datePublic": "2025-02-10T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Path-Traversal vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to list device directories via the \u2018/pictory/php/getFileList.php\u2019 endpoint in the \u2018dir\u2019 parameter."}], "value": "Path-Traversal vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to list device directories via the \u2018/pictory/php/getFileList.php\u2019 endpoint in the \u2018dir\u2019 parameter."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2025-02-10T12:46:27.511Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-kunbus-gmbhs-revolution-pi"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The command injection vulnerability has been fixed by the KUNBUS team in the Revolution Pi webstatus 2.4.2 release. Path Traversal vulnerability has been fixed by the KUNBUS team in Revolution Pi pictory 2.1.1."}], "value": "The command injection vulnerability has been fixed by the KUNBUS team in the Revolution Pi webstatus 2.4.2 release. Path Traversal vulnerability has been fixed by the KUNBUS team in Revolution Pi pictory 2.1.1."}], "source": {"discovery": "EXTERNAL"}, "title": "Path-Traversal vulnerability in Revolution Pi", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8685", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-10T13:20:24.873787Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T15:44:13.171Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Path-Traversal vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to list device directories via the \u2018/pictory/php/getFileList.php\u2019 endpoint in the \u2018dir\u2019 parameter."}], "id": "CVE-2024-8685", "lastModified": "2025-02-10T13:15:26.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2025-02-10T13:15:26.270", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-kunbus-gmbhs-revolution-pi"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}

{}