CVE-2023-30260
Description
Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated command injection in RaspAP web interface (≤2.8.8) allows remote attackers to execute arbitrary OS commands via crafted POST to hostapd settings, with potential root escalation.
Vulnerability
Overview
CVE-2023-30260 is a command injection vulnerability in the RaspAP web interface (versions 2.8.8 and earlier). The root cause is the lack of sanitization of user-supplied input in the hostapd_conf endpoint. Specifically, the interface and txpower POST parameters are passed directly to the exec() function in hostapd.php without escaping, allowing an attacker to inject arbitrary OS commands [4].
Exploitation
An attacker must first obtain valid credentials for the RaspAP web interface (the default credentials are admin:secret). With these, they can send a crafted POST request to /hostapd_conf containing a malicious payload in the interface parameter. The request must include a valid CSRF token, which can be easily extracted from the page source. The injected command is then executed with the privileges of the web server (www-data) [4].
Impact
Successful exploitation grants the attacker arbitrary command execution as www-data. In the default RaspAP configuration, this can be escalated to root privileges by abusing sudo permissions. For example, the attacker can overwrite the OpenVPN client configuration to include a malicious script that runs with root privileges when an OpenVPN connection is established [4].
Mitigation
The vulnerability has been addressed in later versions of RaspAP. The fix involves sanitizing the interface and txpower parameters and using PHP's escapeshellarg() before passing them to exec(). This was implemented in pull request #1322 [2]. Users are strongly advised to update to a patched version or apply the sanitization manually if running an older release.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
billz/raspap-webguiPackagist | < 2.8.9 | 2.8.9 |
Affected products
1Patches
1238e1670fcefMerge pull request #1322 from RaspAP/maint/security
1 file changed · +4 −3
includes/hostapd.php+4 −3 modified@@ -99,12 +99,13 @@ function DisplayHostAPDConfig() } // set txpower with iw if value is non-default ('auto') if (isset($_POST['txpower']) && ($_POST['txpower'] != 'auto')) { - $sdBm = $_POST['txpower'] * 100; - exec('sudo /sbin/iw dev '.$_POST['interface'].' set txpower fixed '.$sdBm, $return); + $txpower = intval($_POST['txpower']); + $sdBm = $txpower * 100; + exec('sudo /sbin/iw dev '.escapeshellarg($_POST['interface']).' set txpower fixed '.$sdBm, $return); $status->addMessage('Setting transmit power to '.$_POST['txpower'].' dBm.', 'success'); $txpower = $_POST['txpower']; } elseif ($_POST['txpower'] == 'auto') { - exec('sudo /sbin/iw dev '.$_POST['interface'].' set txpower auto', $return); + exec('sudo /sbin/iw dev '.escapeshellarg($_POST['interface']).' set txpower auto', $return); $status->addMessage('Setting transmit power to '.$_POST['txpower'].'.', 'success'); $txpower = $_POST['txpower']; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.