Raspap

raspap

15 CVEs • 2 products

Products (2)

Click to collapse

Toggle

CVEs (15)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-50428 1Raspap 1Raspap Webgui Sep 9, 2025 Aug 27, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In RaspAP raspap-webgui 3.3.2 and earlier, a command injection vulnerability exists in the includes/hostapd.php script. The vulnerability is due to improper sanitizing of user input passed via the interface parameter.
CVE-2025-44163 1Raspap 1Raspap Webgui Nov 10, 2025 Jun 27, 2025 N/A· v4 6.3 MEDIUM· v3 N/A· v2 RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overw...Show more RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse of the `tee` command used in shell execution.Show less
CVE-2024-36622 1Raspap 1Raspap Webgui Jul 2, 2025 Nov 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In RaspAP raspap-webgui 3.0.9 and earlier, a command injection vulnerability exists in the clearlog.php script. The vulnerability is due to improper sanitization of user input passed via the logfile parameter.
CVE-2024-2497 1Raspap 1Raspap Apr 9, 2025 Mar 15, 2024 N/A· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulatio...Show more A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256919. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-28754 1Raspap 1Raspap May 1, 2025 Mar 9, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request.
CVE-2024-28753 1Raspap 1Raspap May 1, 2025 Mar 9, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to read the /etc/passwd file via a crafted request.
CVE-2022-39987 1Raspap 1Raspap Nov 21, 2024 Aug 1, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php.
CVE-2022-39986 1Raspap 1Raspap Nov 21, 2024 Aug 1, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php...Show more A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.Show less
CVE-2023-30260 1Raspap 1Raspap Nov 21, 2024 Jun 23, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form.
CVE-2021-38557 1Raspap 1Raspap Nov 21, 2024 Aug 24, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however,...Show more raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.Show less
CVE-2021-38556 1Raspap 1Raspap Nov 21, 2024 Aug 24, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.
CVE-2021-33358 1Raspap 1Raspap Nov 21, 2024 Jun 9, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd, when the parameter values contain special characters such as ";" or "$()" which enables a...Show more Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd, when the parameter values contain special characters such as ";" or "$()" which enables an authenticated attacker to execute arbitrary OS commands.Show less
CVE-2021-33357 1Raspap 1Raspap Nov 21, 2024 Jun 9, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated att...Show more A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.Show less
CVE-2021-33356 1Raspap 1Raspap Nov 21, 2024 Jun 9, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command executio...Show more Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges.Show less
CVE-2020-24572 1Raspap 1Raspap Nov 21, 2024 Aug 24, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running...Show more An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running this software, and execute commands on the system (including ones for uploading of files and execution of code).Show less