raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-08-24T12:33:01

Updated: 2024-08-04T01:44:23.480Z

Reserved: 2021-08-11T00:00:00

Link: CVE-2021-38557

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-08-24T13:15:14.513

Modified: 2024-11-21T06:17:26.340

Link: CVE-2021-38557

cve-icon Redhat

No data.