CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24182
https://notcve.org/view.php?id=CVE-2023-24182
11 Apr 2023 — LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component /system/sshkeys.js. • https://github.com/ABB-EL/external-vulnerability-disclosures/security/advisories/GHSA-7vqh-2r8q-rjg2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-38333
https://notcve.org/view.php?id=CVE-2022-38333
19 Sep 2022 — Openwrt before v21.02.3 and Openwrt v22.03.0-rc6 were discovered to contain two skip loops in the function header_value(). This vulnerability allows attackers to access sensitive information via a crafted HTTP request. Se ha detectado que Openwrt versiones anteriores a v21.02.3 y Openwrt versión v22.03.0-rc6, contienen dos bucles de omisión en la función header_value(). Esta vulnerabilidad permite a atacantes acceder a información confidencial por medio de una petición HTTP diseñada • https://git.openwrt.org/?p=project/cgi-io.git%3Ba=commit%3Bh=901b0f0463c9d16a8cf5b9ed37118d8484bc9176 • CWE-125: Out-of-bounds Read •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-45904
https://notcve.org/view.php?id=CVE-2021-45904
27 Dec 2021 — OpenWrt 21.02.1 allows XSS via the Port Forwards Add Name screen. OpenWrt versión 21.02.1 permite un ataque de tipo XSS por medio de la Pantalla Port Forwards Add Name • https://bugs.openwrt.org/index.php?do=details&task_id=4199 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-45905
https://notcve.org/view.php?id=CVE-2021-45905
27 Dec 2021 — OpenWrt 21.02.1 allows XSS via the Traffic Rules Name screen. OpenWrt versión 21.02.1 permite un ataque de tipo XSS por medio de la Pantalla Traffic Rules Name • https://bugs.openwrt.org/index.php?do=details&task_id=4199 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-45906
https://notcve.org/view.php?id=CVE-2021-45906
27 Dec 2021 — OpenWrt 21.02.1 allows XSS via the NAT Rules Name screen. OpenWrt versión 21.02.1 permite XSS por medio de la Pantalla NAT Rules Name • https://bugs.openwrt.org/index.php?do=details&task_id=4199 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32019
https://notcve.org/view.php?id=CVE-2021-32019
02 Aug 2021 — There is missing input validation of host names displayed in OpenWrt before 19.07.8. The Connection Status page of the luci web-interface allows XSS, which can be used to gain full control over the affected system via ICMP. Se presenta una falta de comprobación de entrada de los nombres de host mostrados en OpenWrt antes de la versión 19.07.8. La página de Estado de la Conexión de la interfaz web de luci permite un ataque de tipo XSS, que puede usarse para obtener el control total del sistema afectado por m... • https://openwrt.org/advisory/2021-08-01-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33425
https://notcve.org/view.php?id=CVE-2021-33425
25 May 2021 — A stored cross-site scripting (XSS) vulnerability was discovered in the Web Interface for OpenWRT LuCI version 19.07 which allows attackers to inject arbitrary Javascript in the OpenWRT Hostname via the Hostname Change operation. Se detectó una vulnerabilidad de tipo cross-site scripting (XSS) almacenada en la Interfaz Web para OpenWRT LuCI versión 19.07, que permite a atacantes inyectar JavaScript arbitrario en el Hostname de OpenWRT por medio de la operación Hostname Change • http://openwrt.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2021-28961
https://notcve.org/view.php?id=CVE-2021-28961
21 Mar 2021 — applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua in the DDNS package for OpenWrt 19.07 allows remote authenticated users to inject arbitrary commands via POST requests. El archivo applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua en el paquete DDNS para OpenWrt versión 19.07, permite a usuarios autenticados remotos inyectar comandos arbitrarios por medio de peticiones POST • https://github.com/openwrt/luci/commit/9df7ea4d66644df69fcea18b36bc465912ffc • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-22161
https://notcve.org/view.php?id=CVE-2021-22161
07 Feb 2021 — In OpenWrt 19.07.x before 19.07.7, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router. This occurs when a link prefix route points to a point-to-point link, a destination IPv6 address belongs to the prefix and is not a local IPv6 address, and a router advertisement is received with at least one global unique IPv6 prefix for which the on-link flag is set. This affects the netifd and odhcp6c packages. En OpenWrt version... • https://openwrt.org/advisory/2021-02-02-1 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-25015
https://notcve.org/view.php?id=CVE-2019-25015
21 Jan 2021 — LuCI in OpenWrt 18.06.0 through 18.06.4 allows stored XSS via a crafted SSID. LuCI en OpenWrt versiones 18.06.0 hasta 18.06.4, permite un ataque de tipo XSS almacenado por medio de un SSID diseñado • https://github.com/openwrt/luci/commit/bc17ef673f734ea8e7e696ba5735588da9111dcd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •