RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to read the /etc/passwd file via a crafted request.
CVSS Score
6.5
EPSS Score
0.0
Published
2024-03-09
RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request.
CVSS Score
7.5
EPSS Score
0.004
Published
2024-03-09
Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form.
CVSS Score
8.8
EPSS Score
0.027
Published
2023-06-23
includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.
CVSS Score
8.8
EPSS Score
0.186
Published
2021-08-24
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.
CVSS Score
8.8
EPSS Score
0.007
Published
2021-08-24