CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3085 – X-WRT luci 404 Error Template dispatcher.uc run_action cross site scripting
https://notcve.org/view.php?id=CVE-2023-3085
A vulnerability, which was classified as problematic, has been found in X-WRT luci up to 22.10_b202303061504. This issue affects the function run_action of the file modules/luci-base/ucode/dispatcher.uc of the component 404 Error Template Handler. The manipulation of the argument request_path leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 22.10_b202303121313 is able to address this issue. • https://github.com/x-wrt/luci/commit/24d7da2416b9ab246825c33c213fe939a89b369c https://github.com/x-wrt/luci/releases/tag/22.10_b202303121313 https://vuldb.com/?ctiid.230663 https://vuldb.com/?id.230663 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27821
https://notcve.org/view.php?id=CVE-2021-27821
The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution. Se ha detectado que la Interfaz Web para OpenWRT LuCI versión 19.07 y anteriores presenta una vulnerabilidad de tipo cross-site scripting que puede conllevar a que los atacantes ejecuten código arbitrario • http://openwrt.com http://openwrtorg.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12272
https://notcve.org/view.php?id=CVE-2019-12272
In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability. En OpenWrt LuCI hasta versión 0.10, los endpoints admin/status/realtime/bandwidth_status y admin/status/realtime/wireless_status de la aplicación web se ven afectados por una vulnerabilidad de inyección de comandos. • https://github.com/openwrt/luci/commit/9e4b8a91384562e3baee724a52b72e30b1aa006d https://github.com/openwrt/luci/commits/master • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3593 – luci: privilege escalation through cluster with specially crafted configuration
https://notcve.org/view.php?id=CVE-2014-3593
Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration. Vulnerabilidad de inyección Eval en luci 0.26.0 permite a usuarios remotos autenticados con ciertos permisos, ejecutar código Python arbitrario a través de la manipulación del configuración del cluster. It was discovered that luci used eval() on inputs containing strings from the cluster configuration file when generating its web pages. An attacker with privileges to create or edit the cluster configuration could use this flaw to execute arbitrary code as the luci user on a host running luci. • http://rhn.redhat.com/errata/RHSA-2014-1390.html https://bugzilla.redhat.com/show_bug.cgi?id=989005 https://access.redhat.com/security/cve/CVE-2014-3593 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 1.9EPSS: 0%CPEs: 2EXPL: 0CVE-2013-4481 – luci: short exposure of authentication secrets while generating configuration file
https://notcve.org/view.php?id=CVE-2013-4481
Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as "authentication secrets." Condición de carrera en Luci 0.26.0 crea /var/lib/luci/etc/luci.ini con permisos de escritura antes de restringir los permisos, lo que permite a usuarios locales leer archivos y obtener información sensible, tal como los "secretos de autenticación". A flaw was found in the way luci generated its configuration file. The file was created as world readable for a short period of time, allowing a local user to gain access to the authentication secrets stored in the configuration file. • http://rhn.redhat.com/errata/RHSA-2013-1603.html https://bugzilla.redhat.com/show_bug.cgi?id=988998 https://access.redhat.com/security/cve/CVE-2013-4481 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •