CVE-2022-39987: 
PHP vulnerability analysis and mitigation

A Command injection vulnerability exists in RaspAP versions 2.8.0 through 2.9.2. The vulnerability allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php (Medium Blog, NVD).

The vulnerability exists due to insufficient sanitization of the "entity" POST parameter in the /ajax/networking/get_wgkey.php file. When generating Private/Public key pairs, the application takes the "entity" parameter from POST without proper sanitization. The parameter is passed as a path which gets executed with exec('sudo path'), therefore any injected command gets executed with root privileges (Medium Blog). The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability allows authenticated attackers to execute arbitrary operating system commands with root privileges. This could lead to complete system compromise, including the ability to read, write, or delete any files, install malware, or perform any other actions available to the root user (NVD).

The recommended mitigation is to use PHP's built-in escapeshellarg() function to properly sanitize the "entity" parameter before it is used in command execution (Medium Blog).