CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2022-39987
https://notcve.org/view.php?id=CVE-2022-39987
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php. Vulnerabilidad de inyección de comandos en RaspAP que afecta desde la versión 2.8.0 hasta la 2.9.2, la cual permite a un atacante autenticado ejecutar comandos arbitrarios del sistema operativo como root a través de los parámetros POST "entity" en /ajax/networking/get_wgkey.php. • https://github.com/miguelc49/CVE-2022-39987-2 https://github.com/miguelc49/CVE-2022-39987-3 https://github.com/miguelc49/CVE-2022-39987-1 https://github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_wgkey.php https://medium.com/%40ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 86%CPEs: 1EXPL: 2CVE-2022-39986 – RaspAP 2.8.7 Unauthenticated Command Injection
https://notcve.org/view.php?id=CVE-2022-39986
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. Una vulnerabilidad de inyección de comandos en RaspAP afecta a las versiones desde la 2.8.0 a la 2.8.7, la cual permite a atacantes no autenticados ejecutar comandos arbitrarios a través del parámetro cfg_id en /ajax/openvpn/activate_ovpncfg.php y /ajax/openvpn/del_ovpncfg.php. RaspAP is feature-rich wireless router software that just works on many popular Debian-based devices, including the Raspberry Pi. A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands in the context of the user running RaspAP via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. Successfully tested against RaspAP 2.8.0 and 2.8.7. • https://github.com/tucommenceapousser/RaspAP-CVE-2022-39986-PoC https://github.com/mind2hex/CVE-2022-39986 http://packetstormsecurity.com/files/174190/RaspAP-2.8.7-Unauthenticated-Command-Injection.html https://github.com/RaspAP/raspap-webgui/blob/master/ajax/openvpn/activate_ovpncfg.php https://medium.com/%40ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2 https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2 https://github.com/advisories/GHSA-7c28-wg7r-pg6f • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30260
https://notcve.org/view.php?id=CVE-2023-30260
Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form. • https://eldstal.se/advisories/230328-raspap.html https://github.com/RaspAP/raspap-webgui/pull/1322 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •