CVE-2023-3085 – X-WRT luci 404 Error Template dispatcher.uc run_action cross site scripting
https://notcve.org/view.php?id=CVE-2023-3085
A vulnerability, which was classified as problematic, has been found in X-WRT luci up to 22.10_b202303061504. This issue affects the function run_action of the file modules/luci-base/ucode/dispatcher.uc of the component 404 Error Template Handler. The manipulation of the argument request_path leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 22.10_b202303121313 is able to address this issue. • https://github.com/x-wrt/luci/commit/24d7da2416b9ab246825c33c213fe939a89b369c https://github.com/x-wrt/luci/releases/tag/22.10_b202303121313 https://vuldb.com/?ctiid.230663 https://vuldb.com/?id.230663 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-10871
https://notcve.org/view.php?id=CVE-2020-10871
In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other (more complex) ways, and there is no plan to restrict the information further **EN DISPUTA** En OpenWrt LuCI versiones git-20.x, unos atacantes no autenticados remotos pueden recuperar la lista de paquetes y servicios instalados. NOTA: el proveedor cuestiona la importancia de este reporte porque, para instancias a las que puede llegar un actor no autenticado, la misma información está disponible de otras maneras (más complejas), y no existe ningún plan para restringir aún más la información. • https://github.com/openwrt/luci/issues/3563#issuecomment-578522860 https://github.com/openwrt/luci/issues/3653#issue-567892007 https://github.com/openwrt/luci/issues/3766 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •