RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request.
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-03-09
Updated
2024-03-11
RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to read the /etc/passwd file via a crafted request.
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-03-09
Updated
2024-03-11
A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256919. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Max CVSS
5.8
EPSS Score
0.05%
Published
2024-03-15
Updated
2024-04-11
Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form.
Max CVSS
8.8
EPSS Score
0.09%
Published
2023-06-23
Updated
2023-07-03
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php.
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-08-01
Updated
2023-08-04

CVE-2022-39986

Public exploit
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
Max CVSS
9.8
EPSS Score
89.97%
Published
2023-08-01
Updated
2023-08-15
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.
Max CVSS
9.0
EPSS Score
0.32%
Published
2021-08-24
Updated
2021-09-02
includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.
Max CVSS
8.8
EPSS Score
1.82%
Published
2021-08-24
Updated
2021-09-02
Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd, when the parameter values contain special characters such as ";" or "$()" which enables an authenticated attacker to execute arbitrary OS commands.
Max CVSS
9.0
EPSS Score
2.51%
Published
2021-06-09
Updated
2021-06-21
A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.
Max CVSS
9.8
EPSS Score
96.55%
Published
2021-06-09
Updated
2021-06-21
Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges.
Max CVSS
9.0
EPSS Score
6.73%
Published
2021-06-09
Updated
2021-06-21
An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running this software, and execute commands on the system (including ones for uploading of files and execution of code).
Max CVSS
9.0
EPSS Score
0.58%
Published
2020-08-24
Updated
2020-09-01
12 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!