CVE-2024-28138 Information

Description

An unauthenticated attacker with network access to the affected device’s web interface can execute any system command via the \msg_events.php\ script as the www-data user. The HTTP GET parameter \data\ is not properly sanitized.

Reference

https://r.sec-consult.com/imageaccess https://www.imageaccess.de/?page=SupportPortal&lang=en