CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3085 – X-WRT luci 404 Error Template dispatcher.uc run_action cross site scripting
https://notcve.org/view.php?id=CVE-2023-3085
03 Jun 2023 — A vulnerability, which was classified as problematic, has been found in X-WRT luci up to 22.10_b202303061504. This issue affects the function run_action of the file modules/luci-base/ucode/dispatcher.uc of the component 404 Error Template Handler. The manipulation of the argument request_path leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 22.10_b202303121313 is able to address this issue. • https://github.com/x-wrt/luci/commit/24d7da2416b9ab246825c33c213fe939a89b369c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27821
https://notcve.org/view.php?id=CVE-2021-27821
25 May 2021 — The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution. Se ha detectado que la Interfaz Web para OpenWRT LuCI versión 19.07 y anteriores presenta una vulnerabilidad de tipo cross-site scripting que puede conllevar a que los atacantes ejecuten código arbitrario • http://openwrt.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 37%CPEs: 1EXPL: 2CVE-2019-12272
https://notcve.org/view.php?id=CVE-2019-12272
23 May 2019 — In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability. En OpenWrt LuCI hasta versión 0.10, los endpoints admin/status/realtime/bandwidth_status y admin/status/realtime/wireless_status de la aplicación web se ven afectados por una vulnerabilidad de inyección de comandos. • https://github.com/HACHp1/LuCI_RCE_exp • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2010-3852
https://notcve.org/view.php?id=CVE-2010-3852
05 Nov 2010 — The default configuration of Luci 0.22.4 and earlier in Red Hat Conga uses "[INSERT SECRET HERE]" as its secret key for cookies, which makes it easier for remote attackers to bypass repoze.who authentication via a forged ticket cookie. La configuración por defecto de Luci v0.22.4 y anteriores en Red Hat Conga utiliza "[INSERT SECRET HERE]" como su clave secreta para las cookies, lo que facilita a los atacantes remotos el saltarse la autenticación a través de una cookie repoze.who falsificada. • http://git.fedorahosted.org/git/?p=luci.git%3Ba=commit%3Bh=9e0bbf0c5faa198379d945474f7d55da5031cacf • CWE-287: Improper Authentication •