CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30260
https://notcve.org/view.php?id=CVE-2023-30260
Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form. • https://eldstal.se/advisories/230328-raspap.html https://github.com/RaspAP/raspap-webgui/pull/1322 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 1CVE-2021-38556
https://notcve.org/view.php?id=CVE-2021-38556
includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection. el archivo includes/configure_client.php en RaspAP versión 2.6.6, permite a atacantes ejecutar comandos por medio de inyección de comandos. • https://github.com/RaspAP/raspap-webgui https://github.com/RaspAP/raspap-webgui/blob/0e1d652c5e55f812aaf2a5908884e9db179416ee/includes/configure_client.php https://zerosecuritypenetrationtesting.com/?page_id=306 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-38557
https://notcve.org/view.php?id=CVE-2021-38557
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content. raspap-webgui en RaspAP versión 2.6.6, permite a atacantes ejecutar comandos como root debido a permisos no seguros de sudoers. La cuenta www-data puede ejecutar el archivo /etc/raspap/hostapd/enablelog.sh como root sin contraseña; sin embargo, la cuenta www-data también puede sobrescribir el archivo /etc/raspap/hostapd/enablelog.sh con cualquier contenido ejecutable. • https://github.com/RaspAP/raspap-webgui https://github.com/RaspAP/raspap-webgui/blob/fabc48c7daae4013b9888f266332e510b196a062/installers/raspap.sudoers https://zerosecuritypenetrationtesting.com/?page_id=306 • CWE-732: Incorrect Permission Assignment for Critical Resource •