GHSA-277f-37gw-9gmq

Source

https://github.com/advisories/GHSA-277f-37gw-9gmq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-277f-37gw-9gmq/GHSA-277f-37gw-9gmq.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-277f-37gw-9gmq

Aliases

CVE-2025-44163

Published

2025-06-27T15:31:24Z

Modified

2025-06-30T13:13:01.184597Z

Severity

7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

raspap-webgui has a Directory Traversal vulnerability

Details

RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the entity parameter to overwrite arbitrary files writable by the web server via abuse of the tee command used in shell execution.

Database specific

{
    "nvd_published_at": "2025-06-27T14:15:37Z",
    "cwe_ids": [
        "CWE-22",
        "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-27T20:48:15Z",
    "severity": "HIGH"
}

References

Affected packages

Packagist / billz/raspap-webgui

Package

Name: billz/raspap-webgui
Purl: pkg:composer/billz/raspap-webgui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.6

Affected versions

1.*

1.0

2.*

2.4.1

2.5

2.5.1

2.5.2

2.6-beta

2.6

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.7.0

2.7.1

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

3.*

3.0-beta

3.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

v3.*

v3.3.5