CVE-2024-34852

F-logic DataCube3 v1.0 is affected by command injection due to improper string filtering at the command execution point in the ./admin/transceiver_schedule.php file. An unauthenticated remote attacker can exploit this vulnerability by sending a file name containing command injection. Successful exploitation of this vulnerability may allow the attacker to execute system commands.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/Yang-Nankai/Vulnerabilities/blob/main/DataCube3%20Shell%20Code%20Injection.md	Exploit Third Party Advisory
https://github.com/Yang-Nankai/Vulnerabilities/blob/main/DataCube3%20Shell%20Code%20Injection.md	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:f-logic:datacube3_firmware:1.0:*:*:*:*:*:*:*

cpe:2.3:h:f-logic:datacube3:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-05-28 17:15

Updated : 2025-06-10 17:21

NVD link : CVE-2024-34852

Mitre link : CVE-2024-34852

CVE.ORG link : CVE-2024-34852

JSON object : View

Products Affected

f-logic

datacube3
datacube3_firmware

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2024-34852", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2024-05-28T17:15:10.303", "references": [{"url": "https://github.com/Yang-Nankai/Vulnerabilities/blob/main/DataCube3%20Shell%20Code%20Injection.md", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/Yang-Nankai/Vulnerabilities/blob/main/DataCube3%20Shell%20Code%20Injection.md", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "F-logic DataCube3 v1.0 is affected by command injection due to improper string filtering at the command execution point in the ./admin/transceiver_schedule.php file. An unauthenticated remote attacker can exploit this vulnerability by sending a file name containing command injection. Successful exploitation of this vulnerability may allow the attacker to execute system commands."}, {"lang": "es", "value": "F-logic DataCube3 v1.0 se ve afectado por la inyecci\u00f3n de comandos debido a un filtrado inadecuado de cadenas en el punto de ejecuci\u00f3n del comando en el archivo ./admin/transceiver_schedule.php. Un atacante remoto no autenticado puede aprovechar esta vulnerabilidad enviando un nombre de archivo que contenga una inyecci\u00f3n de comando. La explotaci\u00f3n exitosa de esta vulnerabilidad puede permitir al atacante ejecutar comandos del sistema."}], "lastModified": "2025-06-10T17:21:00.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:f-logic:datacube3_firmware:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1F73E586-1AD1-4280-B63B-CFB91BD33BF0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:f-logic:datacube3:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C0F1221C-A9CB-4625-AABD-2E4890FA6E93"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}