raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions.

raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh wit...

GHSA-536P-4PCJ-5MR9 raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions.

raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh wit...

Command Injection

billz/raspap-webgui is vulnerable to remote code execution. An attacker is able to exploit the vulnerability by injecting malicious code via the POST request...

CVE-2021-38557

raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh wit...

CVE-2021-38557

raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh wit...

RaspAP安全漏洞

RaspAP is a software solution that can easily deploy Raspberry Pi as a wireless AP access point with a set of responsive WebUI to control WiFi, as easy to use as a home router. raspap-webgui in RaspAP version 2.6.6 is vulnerable to remote code execution. The vulnerability stems from insecure...

Privilege Escalation

billz/raspap-webgui is vulnerable to Privilege Escalation via OS commaind injection. An attacker can send an input of "a && whoami" to append strval$POST'connect' to the end of the exec function in configureclient.php , executing /etc/raspap/hostapd/enablelog.sh as root with no password and...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum LSF Application Center

Summary There are multiple vulnerabilities in IBM®Runtime Environment Java™Version 8 used by IBM Spectrum LSF Application Center. IBM Spectrum LSF Application Center has addressed the applicable CVEs. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: Multiple vulnerabilities in Tivoli Netcool/OMNIbus WebGUI (CVE-2021-29803, CVE-2021-29804, CVE-2021-29805, CVE-2021-29822)

Summary Fix is available for vulnerabilities in Tivoli Netcool/OMNIbus WebGUI CVE-2021-29803, CVE-2021-29804, CVE-2021-29805, CVE-2021-29822. Vulnerability Details CVEID: CVE-2021-29804 DESCRIPTION: IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbusGUI is vulnerable to stored cross-si...

CVE-2020-19204

An authenticated Stored Cross-Site Scriptiong XSS vulnerability exists in Lightning Wire Labs IPFire 2.21 x8664 - Core Update 130 in the "routing.cgi" Routing Table Entries via the "Remark" text box or "remark" parameter. It allows an authenticated WebGUI user to execute Stored Cross-site Scripti...

CVE-2020-19203

An authenticated Cross-Site Scripting XSS vulnerability was found in widgets/widgets/wakeonlanwidget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr description parameter of wake-on-LAN entries in its output, leading to a...

CVE-2020-19203

An authenticated Cross-Site Scripting XSS vulnerability was found in widgets/widgets/wakeonlanwidget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr description parameter of wake-on-LAN entries in its output, leading to a...

Cross site scripting

An authenticated Cross-Site Scripting XSS vulnerability was found in widgets/widgets/wakeonlanwidget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr description parameter of wake-on-LAN entries in its output, leading to a...

CVE-2020-19201

A Stored Cross-Site Scripting XSS vulnerability was found in statusfilterreload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr description...

CVE-2020-19203

pfSense WebGUI authenticated XSS (CVE-2020-19203) affects wake_on_lan_widget.php in 2.4.4-p2 and earlier. The widget fails to encode the descr field of wake-on-LAN entries, allowing stored XSS. Affected component: widgets/wake_on_lan_widget.php (pfSense WebGUI). Impact: potential script execution...

CVE-2020-19202

An authenticated Stored XSS Cross-site Scripting exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 x8664 - Core Update 130. It allows an authenticated WebGUI user with privileges to execute Stored Cross-site Scripting in the...

Privilege Escalation

billz/raspap-webgui is vulnerable to privilege escalation. An authenticated attacker is able to inject malicious command to /installers/common.sh component, leading to a remote code execution with root level permission...

Security Bulletin: Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI - April 2021 CPU

Summary Websphere Application Server WAS is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about security vulnerabilities affecting WAS has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2015-5262, CVE-2014-3577, CVE-2012-6153, CVE-2011-1498)

Summary Websphere Application Server WAS is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting WAS has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2021-20453)

Summary Websphere Application Server WAS is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting WAS has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...