HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user via the \'set_command_on\' and \'set_command_off\' POST parameters in \'/system/systemplugins/customcommand/customcommand.plugin.php\' by using an unsanitized PHP exec() function.