CVE-2022-39987

Name of the Vulnerable Software and Affected Versions RaspAP versions 2.8.0 through 2.9.2

Description The issue is related to a command injection vulnerability. It allows an authenticated attacker to execute arbitrary OS commands as root via the entity POST parameters in the /ajax/networking/get wgkey.php endpoint. This can be achieved by sending a specially crafted POST request.

Recommendations For RaspAP versions 2.8.0 through 2.9.2, consider restricting access to the /ajax/networking/get wgkey.php endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the entity parameter in the affected endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.