Vulnerability Details CVE-2022-39987
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.763
EPSS Ranking 98.9%
CVSS Severity
CVSS v3 Score 8.8
References
- https://github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_wgkey.php
- https://medium.com/%40ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2
- https://github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_wgkey.php
- https://medium.com/%40ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2
Products affected by CVE-2022-39987
-
cpe:2.3:a:raspap:raspap:2.8.0
-
cpe:2.3:a:raspap:raspap:2.8.1
-
cpe:2.3:a:raspap:raspap:2.8.2
-
cpe:2.3:a:raspap:raspap:2.8.3
-
cpe:2.3:a:raspap:raspap:2.8.4
-
cpe:2.3:a:raspap:raspap:2.8.5
-
cpe:2.3:a:raspap:raspap:2.8.6
-
cpe:2.3:a:raspap:raspap:2.8.7
-
cpe:2.3:a:raspap:raspap:2.8.8
-
cpe:2.3:a:raspap:raspap:2.8.9
-
cpe:2.3:a:raspap:raspap:2.9.0
-
cpe:2.3:a:raspap:raspap:2.9.1
-
cpe:2.3:a:raspap:raspap:2.9.2