CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2497 – RaspAP raspap-webgui HTTP POST Request provider.php code injection
https://notcve.org/view.php?id=CVE-2024-2497
A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://toradah.notion.site/Code-Injection-Leading-to-Remote-Code-Execution-RCE-in-RaspAP-Web-GUI-d321e1a416694520bec7099253c65060?pvs=4 https://vuldb.com/?ctiid.256919 https://vuldb.com/?id.256919 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2022-39987
https://notcve.org/view.php?id=CVE-2022-39987
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php. Vulnerabilidad de inyección de comandos en RaspAP que afecta desde la versión 2.8.0 hasta la 2.9.2, la cual permite a un atacante autenticado ejecutar comandos arbitrarios del sistema operativo como root a través de los parámetros POST "entity" en /ajax/networking/get_wgkey.php. • https://github.com/miguelc49/CVE-2022-39987-2 https://github.com/miguelc49/CVE-2022-39987-3 https://github.com/miguelc49/CVE-2022-39987-1 https://github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_wgkey.php https://medium.com/%40ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 86%CPEs: 1EXPL: 2CVE-2022-39986 – RaspAP 2.8.7 Unauthenticated Command Injection
https://notcve.org/view.php?id=CVE-2022-39986
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. Una vulnerabilidad de inyección de comandos en RaspAP afecta a las versiones desde la 2.8.0 a la 2.8.7, la cual permite a atacantes no autenticados ejecutar comandos arbitrarios a través del parámetro cfg_id en /ajax/openvpn/activate_ovpncfg.php y /ajax/openvpn/del_ovpncfg.php. RaspAP is feature-rich wireless router software that just works on many popular Debian-based devices, including the Raspberry Pi. A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands in the context of the user running RaspAP via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. Successfully tested against RaspAP 2.8.0 and 2.8.7. • https://github.com/tucommenceapousser/RaspAP-CVE-2022-39986-PoC https://github.com/mind2hex/CVE-2022-39986 http://packetstormsecurity.com/files/174190/RaspAP-2.8.7-Unauthenticated-Command-Injection.html https://github.com/RaspAP/raspap-webgui/blob/master/ajax/openvpn/activate_ovpncfg.php https://medium.com/%40ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2 https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2 https://github.com/advisories/GHSA-7c28-wg7r-pg6f • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30260
https://notcve.org/view.php?id=CVE-2023-30260
Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form. • https://eldstal.se/advisories/230328-raspap.html https://github.com/RaspAP/raspap-webgui/pull/1322 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 1CVE-2021-38556
https://notcve.org/view.php?id=CVE-2021-38556
includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection. el archivo includes/configure_client.php en RaspAP versión 2.6.6, permite a atacantes ejecutar comandos por medio de inyección de comandos. • https://github.com/RaspAP/raspap-webgui https://github.com/RaspAP/raspap-webgui/blob/0e1d652c5e55f812aaf2a5908884e9db179416ee/includes/configure_client.php https://zerosecuritypenetrationtesting.com/?page_id=306 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •