Filtered by vendor Raspap Subscriptions
Total 10 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-30260 1 Raspap 1 Raspap 2024-12-05 8.8 High
Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form.
CVE-2024-28754 1 Raspap 1 Raspap 2024-11-21 7.5 High
RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request.
CVE-2022-39987 1 Raspap 1 Raspap 2024-11-21 8.8 High
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php.
CVE-2022-39986 1 Raspap 1 Raspap 2024-11-21 9.8 Critical
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
CVE-2021-38557 1 Raspap 1 Raspap 2024-11-21 8.8 High
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.
CVE-2021-38556 1 Raspap 1 Raspap 2024-11-21 8.8 High
includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.
CVE-2021-33358 1 Raspap 1 Raspap 2024-11-21 8.8 High
Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd, when the parameter values contain special characters such as ";" or "$()" which enables an authenticated attacker to execute arbitrary OS commands.
CVE-2021-33357 1 Raspap 1 Raspap 2024-11-21 9.8 Critical
A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.
CVE-2021-33356 1 Raspap 1 Raspap 2024-11-21 8.8 High
Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges.
CVE-2020-24572 1 Raspap 1 Raspap 2024-11-21 8.8 High
An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running this software, and execute commands on the system (including ones for uploading of files and execution of code).