raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2021-08-24T12:33:01
Updated: 2024-08-04T01:44:23.480Z
Reserved: 2021-08-11T00:00:00
Link: CVE-2021-38557
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-08-24T13:15:14.513
Modified: 2024-11-21T06:17:26.340
Link: CVE-2021-38557
Redhat
No data.