CyberSec.Space Logo
Back to CVE Browser

CVE-2021-33357

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1940%
EPSS Percentile15.26th
PublishedJun 9, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.

Affected Platforms (CPE)

πŸ“¦
Raspap

Raspap

>= 2.6 and <= 2.6.5

References & Advisories

πŸ”— https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf
πŸ”— https://github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_netcfg.php
πŸ”— https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf
πŸ”— https://github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_netcfg.php

Related Vulnerabilities

CVE-2020-245728.8

An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (...

CVE-2021-333568.8

Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitr...

CVE-2021-333588.8

Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd,...

CVE-2021-385568.8

includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.