CVE-2021-33358

Name of the Vulnerable Software and Affected Versions RaspAP versions 2.3 through 2.6.5

Description The issue allows an authenticated attacker to execute arbitrary OS commands by exploiting vulnerabilities in the interface, ssid, and wpa passphrase POST parameters in the "/hostapd" API endpoint. This can occur when the parameter values contain special characters such as ";" or "$()".

Recommendations For RaspAP versions 2.3 through 2.6.5, avoid using the interface, ssid, and wpa passphrase parameters in the "/hostapd" API endpoint with special characters until a patch is available. As a temporary workaround, consider restricting access to the "/hostapd" API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.