CVE-2021-33357

Name of the Vulnerable Software and Affected Versions RaspAP versions 2.6 through 2.6.5

Description A vulnerability exists in the "iface" GET parameter in the /ajax/networking/get netcfg.php endpoint, where the iface parameter value containing special characters such as ";" enables an unauthenticated attacker to execute arbitrary OS commands.

Recommendations For RaspAP versions 2.6 through 2.6.5, avoid using the iface parameter in the /ajax/networking/get netcfg.php endpoint with special characters until a fix is available. As a temporary workaround, consider restricting access to the /ajax/networking/get netcfg.php endpoint to minimize the risk of exploitation.