CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24181
https://notcve.org/view.php?id=CVE-2023-24181
LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm. • https://github.com/ABB-EL/external-vulnerability-disclosures/security/advisories/GHSA-9gqg-pp5p-q9hg https://github.com/openwrt/luci/commit/25983b9fa572a640a7ecd077378df2790266cd61 https://github.com/openwrt/luci/commit/749268a2cad4a08722e30f66a578e254885f450f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41435
https://notcve.org/view.php?id=CVE-2022-41435
OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted public key comments. Se descubrió que la versión git-22.140.66206-02913be de OpenWRT LuCI contiene una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en el componente /system/sshkeys.js. Esta vulnerabilidad permite a los atacantes ejecutar scripts web o HTML arbitrarios mediante comentarios de clave pública manipulados. • https://gist.github.com/librick/eacf19bcfc5ca964e0882b4ef9864bf5 https://github.com/openwrt/luci/commit/944b55738e7f9685865d5298248b7fbd7380749e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27821
https://notcve.org/view.php?id=CVE-2021-27821
The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution. Se ha detectado que la Interfaz Web para OpenWRT LuCI versión 19.07 y anteriores presenta una vulnerabilidad de tipo cross-site scripting que puede conllevar a que los atacantes ejecuten código arbitrario • http://openwrt.com http://openwrtorg.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 2CVE-2020-10871
https://notcve.org/view.php?id=CVE-2020-10871
In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other (more complex) ways, and there is no plan to restrict the information further **EN DISPUTA** En OpenWrt LuCI versiones git-20.x, unos atacantes no autenticados remotos pueden recuperar la lista de paquetes y servicios instalados. NOTA: el proveedor cuestiona la importancia de este reporte porque, para instancias a las que puede llegar un actor no autenticado, la misma información está disponible de otras maneras (más complejas), y no existe ningún plan para restringir aún más la información. • https://github.com/openwrt/luci/issues/3563#issuecomment-578522860 https://github.com/openwrt/luci/issues/3653#issue-567892007 https://github.com/openwrt/luci/issues/3766 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12272
https://notcve.org/view.php?id=CVE-2019-12272
In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability. En OpenWrt LuCI hasta versión 0.10, los endpoints admin/status/realtime/bandwidth_status y admin/status/realtime/wireless_status de la aplicación web se ven afectados por una vulnerabilidad de inyección de comandos. • https://github.com/openwrt/luci/commit/9e4b8a91384562e3baee724a52b72e30b1aa006d https://github.com/openwrt/luci/commits/master • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •