CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30260
https://notcve.org/view.php?id=CVE-2023-30260
23 Jun 2023 — Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form. • https://eldstal.se/advisories/230328-raspap.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 5%CPEs: 1EXPL: 1CVE-2021-38556
https://notcve.org/view.php?id=CVE-2021-38556
24 Aug 2021 — includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection. el archivo includes/configure_client.php en RaspAP versión 2.6.6, permite a atacantes ejecutar comandos por medio de inyección de comandos. • https://github.com/RaspAP/raspap-webgui • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 1CVE-2021-38557
https://notcve.org/view.php?id=CVE-2021-38557
24 Aug 2021 — raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content. raspap-webgui en RaspAP versión 2.6.6, permite a atacantes ejecutar comandos como root debido a permisos no seguros de sudoers. La cuenta www-data puede ejecutar el archivo /etc/raspap/host... • https://github.com/RaspAP/raspap-webgui • CWE-732: Incorrect Permission Assignment for Critical Resource •