#VU93369 OS Command Injection in Cam v3 - CVE-2024-6247
Published: June 26, 2024
Vulnerability identifier: #VU93369
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-6247
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Cam v3
Cam v3
Software vendor:
Wyze Labs
Wyze Labs
Description
The vulnerability allows a local attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within the handling of SSIDs embedded in scanned QR codes. An attacker with physical access can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.