CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41637
https://notcve.org/view.php?id=CVE-2024-41637
29 Jul 2024 — RaspAP before 3.1.5 allows an attacker to escalate privileges: the www-data user has write access to the restapi.service file and also possesses Sudo privileges to execute several critical commands without a password. • https://blog.0xzon.dev/2024-07-27-CVE-2024-41637 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2497 – RaspAP raspap-webgui HTTP POST Request provider.php code injection
https://notcve.org/view.php?id=CVE-2024-2497
15 Mar 2024 — A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://toradah.notion.site/Code-Injection-Leading-to-Remote-Code-Execution-RCE-in-RaspAP-Web-GUI-d321e1a416694520bec7099253c65060?pvs=4 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 92%CPEs: 1EXPL: 3CVE-2022-39986 – RaspAP 2.8.7 Unauthenticated Command Injection
https://notcve.org/view.php?id=CVE-2022-39986
01 Aug 2023 — A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. Una vulnerabilidad de inyección de comandos en RaspAP afecta a las versiones desde la 2.8.0 a la 2.8.7, la cual permite a atacantes no autenticados ejecutar comandos arbitrarios a través del parámetro cfg_id en /ajax/openvpn/activate_ovpncfg.php y /ajax/openvpn/del_ovpncfg.php. RaspAP is f... • https://packetstorm.news/files/id/174190 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 3CVE-2022-39987
https://notcve.org/view.php?id=CVE-2022-39987
01 Aug 2023 — A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php. Vulnerabilidad de inyección de comandos en RaspAP que afecta desde la versión 2.8.0 hasta la 2.9.2, la cual permite a un atacante autenticado ejecutar comandos arbitrarios del sistema operativo como root a través de los parámetros POST "entity" en /ajax/networking/get_wgkey.php. • https://github.com/miguelc49/CVE-2022-39987-2 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30260
https://notcve.org/view.php?id=CVE-2023-30260
23 Jun 2023 — Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form. • https://eldstal.se/advisories/230328-raspap.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 5%CPEs: 1EXPL: 1CVE-2021-38556
https://notcve.org/view.php?id=CVE-2021-38556
24 Aug 2021 — includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection. el archivo includes/configure_client.php en RaspAP versión 2.6.6, permite a atacantes ejecutar comandos por medio de inyección de comandos. • https://github.com/RaspAP/raspap-webgui • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 1CVE-2021-38557
https://notcve.org/view.php?id=CVE-2021-38557
24 Aug 2021 — raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content. raspap-webgui en RaspAP versión 2.6.6, permite a atacantes ejecutar comandos como root debido a permisos no seguros de sudoers. La cuenta www-data puede ejecutar el archivo /etc/raspap/host... • https://github.com/RaspAP/raspap-webgui • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.0EPSS: 15%CPEs: 1EXPL: 2CVE-2021-33358
https://notcve.org/view.php?id=CVE-2021-33358
09 Jun 2021 — Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd, when the parameter values contain special characters such as ";" or "$()" which enables an authenticated attacker to execute arbitrary OS commands. Se presenta una vulnerabilidad en RaspAP versiones 2.3 a 2.6.5 en los parámetros "interface", "ssid" y "wpa_passphrase" POST en la función /hostapd, cuando los valores de los parámetros contienen caracteres especiales como ";" o "$()... • https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 96%CPEs: 1EXPL: 1CVE-2021-33357
https://notcve.org/view.php?id=CVE-2021-33357
09 Jun 2021 — A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands. Se presenta una vulnerabilidad en RaspAP versiones 2.6 hasta 2.6.5, en el parámetro "iface" GET en el archivo /ajax/networking/get_netcfg.php, cuando el valor del parámetro "iface" contiene caracteres especiales como ";" que permite a un atacante no au... • https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 8%CPEs: 1EXPL: 5CVE-2021-33356
https://notcve.org/view.php?id=CVE-2021-33356
09 Jun 2021 — Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges. Múltiples vulnerabilidades de escalada de privilegios en RaspAP versiones 1.5 hasta 2.6.5, podrían permitir a un atacante remoto autenticado inyectar comandos arbitrarios en el componente /installers/common.sh que pueden resultar en una ejecución de comandos remotos c... • https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf • CWE-269: Improper Privilege Management •