OS Command Injection in Cam v3 - CVE-2024-6247

 

OS Command Injection in Cam v3 - CVE-2024-6247

Published: June 26, 2024


Vulnerability identifier: #VU93369
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-6247
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Wyze Labs
Affected software:
Cam v3

Detailed vulnerability description

The vulnerability allows a local attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation within the handling of SSIDs embedded in scanned QR codes. An attacker with physical access can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


How to mitigate CVE-2024-6247

Install updates from vendor's website.

Sources