CVE-2024-8685
Description
Path-Traversal vulnerability in Revolution Pi version 2022-07-28-revpi-buster from KUNBUS GmbH. This vulnerability could allow an authenticated attacker to list device directories via the ‘/pictory/php/getFileList.php’ endpoint in the ‘dir’ parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated path traversal vulnerability in Revolution Pi's getFileList.php endpoint allows listing device directories.
A path traversal vulnerability (CWE-22) exists in Revolution Pi's "/pictory/php/getFileList.php" endpoint, specifically in the "dir" parameter [1]. The flaw arises from insufficient input validation, enabling an authenticated attacker to navigate the filesystem beyond intended directories.
Exploitation requires authentication but no special privileges, with network access to the affected endpoint. The attacker manipulates the "dir" parameter with path traversal sequences (e.g., ../) to list arbitrary directories on the device.
Successful exploitation allows an attacker to enumerate the filesystem, revealing sensitive file paths and configurations. This information leakage could aid further attacks, though direct file read or modification is not possible via this vulnerability.
The vulnerability is fixed in Revolution Pi pictory version 2.1.1 [1]. Users should update to this version or later to mitigate the risk.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.