CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30260
https://notcve.org/view.php?id=CVE-2023-30260
23 Jun 2023 — Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form. • https://eldstal.se/advisories/230328-raspap.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 15%CPEs: 1EXPL: 2CVE-2021-33358
https://notcve.org/view.php?id=CVE-2021-33358
09 Jun 2021 — Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd, when the parameter values contain special characters such as ";" or "$()" which enables an authenticated attacker to execute arbitrary OS commands. Se presenta una vulnerabilidad en RaspAP versiones 2.3 a 2.6.5 en los parámetros "interface", "ssid" y "wpa_passphrase" POST en la función /hostapd, cuando los valores de los parámetros contienen caracteres especiales como ";" o "$()... • https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 96%CPEs: 1EXPL: 1CVE-2021-33357
https://notcve.org/view.php?id=CVE-2021-33357
09 Jun 2021 — A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands. Se presenta una vulnerabilidad en RaspAP versiones 2.6 hasta 2.6.5, en el parámetro "iface" GET en el archivo /ajax/networking/get_netcfg.php, cuando el valor del parámetro "iface" contiene caracteres especiales como ";" que permite a un atacante no au... • https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 8%CPEs: 1EXPL: 5CVE-2021-33356
https://notcve.org/view.php?id=CVE-2021-33356
09 Jun 2021 — Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges. Múltiples vulnerabilidades de escalada de privilegios en RaspAP versiones 1.5 hasta 2.6.5, podrían permitir a un atacante remoto autenticado inyectar comandos arbitrarios en el componente /installers/common.sh que pueden resultar en una ejecución de comandos remotos c... • https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf • CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 3CVE-2020-24572
https://notcve.org/view.php?id=CVE-2020-24572
24 Aug 2020 — An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running this software, and execute commands on the system (including ones for uploading of files and execution of code). Se detectó un problema en el archivo includes/webconsole.php en RaspAP versión 2.5. Con acceso autenticado, un atacante puede usar una consola web mal configurada (y virtualmente... • https://github.com/gerbsec/CVE-2020-24572-POC • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •