2021-04-27 17:51:17
mitre
PUBLISHED
HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user via the set_command_on and set_command_off POST parameters in /system/systemplugins/customcommand/customcommand.plugin.php by using an unsanitized PHP exec() function.