Base Score

MEDIUM6.3

CVE-2025-44163

RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse of the `tee` command used in shell execution.

VectorNETWORK

Published Bycve@mitre.org

Published DateJun 27, 2025, 14:15

Affected Versions(1)

billz/raspap-webgui(Packagist)

Introduced0

Fixed3.3.6

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
billz/raspap-webgui(Packagist)	0	3.3.6	N/A

Weakness Type (CWE):CWE-23

CVSS Metrics

Base Score

6.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

LOW

References

Base Score

MEDIUM6.3

Weakness Type (CWE):CWE-23

CVSS Metrics

Base Score

6.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

LOW