CyberSec.Space Logo
Back to CVE Browser

CVE-2020-24572

HIGH
8.8
CVSS Severity Score
EPSS Score0.0020%
EPSS Percentile38.66th
PublishedAug 24, 2020
Last ModifiedNov 21, 2024

Vulnerability Description

An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running this software, and execute commands on the system (including ones for uploading of files and execution of code).

Affected Platforms (CPE)

πŸ“¦
Raspap

Raspap

= 2.5

References & Advisories

πŸ”— https://deadb0x.io/lunchb0x/cve-2020-24572/
πŸ”— https://github.com/billz/raspap-webgui/commit/dd5ab7bdc213381ee552001dd80c41ca47afab00
πŸ”— https://github.com/billz/raspap-webgui/releases
πŸ”— https://github.com/lb0x
πŸ”— https://deadb0x.io/lunchb0x/cve-2020-24572/
πŸ”— https://github.com/billz/raspap-webgui/commit/dd5ab7bdc213381ee552001dd80c41ca47afab00
πŸ”— https://github.com/billz/raspap-webgui/releases
πŸ”— https://github.com/lb0x

Related Vulnerabilities

CVE-2021-333579.8

A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" pa...

CVE-2021-333568.8

Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitr...

CVE-2021-333588.8

Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd,...

CVE-2021-385568.8

includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.