CVE-2024-4874721.11.2024, 15:15An issue in alist-tvbox v1.7.1 allows a remote attacker to execute arbitrary code via the /atv-cli file.Command InjectionEnginsightProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVectorNISTNIST6.8 MEDIUMNETWORKLOWHIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:HmitreCNA------CISA-ADPADP6.8 MEDIUMNETWORKLOWHIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:HBase ScoreCVSS 3.xEPSS ScorePercentile: 69%Common Weakness EnumerationCWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Referenceshttps://github.com/6pc1/BugHub/blob/main/alist-tvbox%20command%20execution%20vulnerability.pdf