GoogleOSV:GHSA-7C28-WG7R-PG6FRaspAP Command Injection vulnerability
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.881 High
EPSS
Percentile
98.7%
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
References
github.com/RaspAP/raspap-webgui
github.com/RaspAP/raspap-webgui/blob/master/ajax/openvpn/activate_ovpncfg.php
github.com/RaspAP/raspap-webgui/commit/1fabc481690e008279113e18d0642c5279e3b56e
github.com/RaspAP/raspap-webgui/pull/1303
medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2
nvd.nist.gov/vuln/detail/CVE-2022-39986
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.881 High
EPSS
Percentile
98.7%