[GHSA-7r88-wjhj-jr8m] RaspAP Command Injection vulnerability

[MarkLee131]

Updates

• Affected products
• References

Comments
Add patch commit for v2.8.8: RaspAP/raspap-webgui@1fabc48,
belongs to pr: RaspAP/raspap-webgui#1303

they are mentioned in release note v2.8.8: "Security: Sanitize post data w/ escapeshellcmd() by @billz in #1303 thanks @buglloc"

[buglloc]

I think these vulnerabilities are unrelated, just similar.
GHSA-7r88-wjhj-jr8m related to CVE-2022-39987 and, as far as I known, it is fixed in v2.9.5:

• commit: RaspAP/raspap-webgui@e87e7d1
• PR: Sanitize post with escapeshellcmd() RaspAP/raspap-webgui#1395

In RaspAP/raspap-webgui#1303 which you mention fixed another but similar vulnerability. it allows an unauthenticated attacker to execute arbitrary OS commands

[MarkLee131]

Hi,@buglloc. Thanks for the correction. I made the mistake. I will correct the info and open a new PR for this CVE.

Besides, the patch commit I mentioned above seems like the fix for GHSA-7c28-wg7r-pg6f, which "allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php". is it correct?

[buglloc]

Besides, the patch commit I mentioned above seems like the fix for GHSA-7c28-wg7r-pg6f, which "allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php". is it correct?

Yeah, looks correct! :)