CVE-2024-28892

Aliases:GHSA-5qww-56gc-f66cGO-2024-3359

Advisory lineage Upstream: 0 Downstream: 2

Downstream

OPENSUSE-SU-2025:14624-1 SUSE-SU-2025:0060-1

Analyzed

Published: 21 Nov 2024, 14:41

Last modified:21 Nov 2024, 16:03

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (cve.org)

EPSS Score

1.85% LOW

2% probability +1.12%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

21 Nov 2024, 14:41

Published

Vulnerability first disclosed

21 Nov 2024, 16:03

Last Modified

Vulnerability information updated

Description

An OS command injection vulnerability exists in the name parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

CVSS Metrics

v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 1.85%• Percentile: 83%

Techniques & Countermeasures

CWE-78•Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Affected Systems

gocast•gocast
1.1.3
github.com/mayuresh82•gocast
≤ 1.1.3 | all
mayuresh82•gocast
1.1.3