-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| billz/raspap-webgui | composer | >= 2.8.0, < 2.8.8 | 2.8.8 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from direct usage of the user-controlled 'cfg_id' parameter in system() and exec() calls without proper sanitization. In activate_ovpncfg.php, system() constructs symbolic links using the parameter, while del_ovpncfg.php uses exec() to delete files based on the parameter. Both cases lack input validation, allowing attackers to chain commands. The patch introduced escapeshellcmd() to sanitize the input, confirming the root cause was missing command-line escaping.