CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30260
https://notcve.org/view.php?id=CVE-2023-30260
Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form. • https://eldstal.se/advisories/230328-raspap.html https://github.com/RaspAP/raspap-webgui/pull/1322 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 10%CPEs: 1EXPL: 2CVE-2021-33358
https://notcve.org/view.php?id=CVE-2021-33358
Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd, when the parameter values contain special characters such as ";" or "$()" which enables an authenticated attacker to execute arbitrary OS commands. Se presenta una vulnerabilidad en RaspAP versiones 2.3 a 2.6.5 en los parámetros "interface", "ssid" y "wpa_passphrase" POST en la función /hostapd, cuando los valores de los parámetros contienen caracteres especiales como ";" o "$()" que permite a un atacante autenticado ejecutar comandos arbitrarios del sistema operativo • https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf https://github.com/RaspAP/raspap-webgui/blob/8f0ae3b36aa1020d21477e66010c6b2146e7c222/app/img/wifi-qr-code.php https://github.com/RaspAP/raspap-webgui/blob/b02660d5ff8d9faa5d3ef49778b23e832851e0f4/includes/hostapd.php • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 96%CPEs: 1EXPL: 1CVE-2021-33357
https://notcve.org/view.php?id=CVE-2021-33357
A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands. Se presenta una vulnerabilidad en RaspAP versiones 2.6 hasta 2.6.5, en el parámetro "iface" GET en el archivo /ajax/networking/get_netcfg.php, cuando el valor del parámetro "iface" contiene caracteres especiales como ";" que permite a un atacante no autenticado ejecutar comandos arbitrarios del SO • https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf https://github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_netcfg.php • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 8%CPEs: 1EXPL: 5CVE-2021-33356
https://notcve.org/view.php?id=CVE-2021-33356
Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges. Múltiples vulnerabilidades de escalada de privilegios en RaspAP versiones 1.5 hasta 2.6.5, podrían permitir a un atacante remoto autenticado inyectar comandos arbitrarios en el componente /installers/common.sh que pueden resultar en una ejecución de comandos remotos con privilegios de root • https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf https://github.com/RaspAP/raspap-webgui/blob/5a7b77459839c9420fac0d10ec28cee1af9bb782/installers/common.sh#L216 https://github.com/RaspAP/raspap-webgui/blob/5a7b77459839c9420fac0d10ec28cee1af9bb782/installers/common.sh#L231 https://github.com/RaspAP/raspap-webgui/blob/5a7b77459839c9420fac0d10ec28cee1af9bb782/installers/common.sh#L314 https://github.com/RaspAP/raspap-webgui/blob/5a7b77459839c9420fac0d10ec28cee1af9bb782/installers/common.sh#L407 https://github.com/RaspAP/raspap-webgui/blob/5a7b77 • CWE-269: Improper Privilege Management •