CVE-2022-39986

Name of the Vulnerable Software and Affected Versions RaspAP versions 2.8.0 through 2.8.7

Description A command injection issue allows unauthenticated attackers to execute arbitrary commands via the cfg id parameter in "/ajax/openvpn/activate ovpncfg.php" and "/ajax/openvpn/del ovpncfg.php". This is related to inadequate data cleaning at the management level, potentially allowing remote attackers to execute commands using a specially crafted POST request with the cfg id parameter.

Recommendations For RaspAP versions 2.8.0 through 2.8.7, consider disabling the cfg id parameter in the affected API endpoints until a patch is available. Restrict access to the "/ajax/openvpn/activate ovpncfg.php" and "/ajax/openvpn/del ovpncfg.php" endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.