CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3085 – X-WRT luci 404 Error Template dispatcher.uc run_action cross site scripting
https://notcve.org/view.php?id=CVE-2023-3085
03 Jun 2023 — A vulnerability, which was classified as problematic, has been found in X-WRT luci up to 22.10_b202303061504. This issue affects the function run_action of the file modules/luci-base/ucode/dispatcher.uc of the component 404 Error Template Handler. The manipulation of the argument request_path leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 22.10_b202303121313 is able to address this issue. • https://github.com/x-wrt/luci/commit/24d7da2416b9ab246825c33c213fe939a89b369c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27821
https://notcve.org/view.php?id=CVE-2021-27821
25 May 2021 — The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution. Se ha detectado que la Interfaz Web para OpenWRT LuCI versión 19.07 y anteriores presenta una vulnerabilidad de tipo cross-site scripting que puede conllevar a que los atacantes ejecuten código arbitrario • http://openwrt.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 37%CPEs: 1EXPL: 2CVE-2019-12272
https://notcve.org/view.php?id=CVE-2019-12272
23 May 2019 — In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability. En OpenWrt LuCI hasta versión 0.10, los endpoints admin/status/realtime/bandwidth_status y admin/status/realtime/wireless_status de la aplicación web se ven afectados por una vulnerabilidad de inyección de comandos. • https://github.com/HACHp1/LuCI_RCE_exp • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3593 – luci: privilege escalation through cluster with specially crafted configuration
https://notcve.org/view.php?id=CVE-2014-3593
14 Oct 2014 — Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration. Vulnerabilidad de inyección Eval en luci 0.26.0 permite a usuarios remotos autenticados con ciertos permisos, ejecutar código Python arbitrario a través de la manipulación del configuración del cluster. It was discovered that luci used eval() on inputs containing strings from the cluster configuration file when generating its web pages. ... • http://rhn.redhat.com/errata/RHSA-2014-1390.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.7EPSS: 0%CPEs: 2EXPL: 0CVE-2013-4481 – luci: short exposure of authentication secrets while generating configuration file
https://notcve.org/view.php?id=CVE-2013-4481
21 Nov 2013 — Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as "authentication secrets." Condición de carrera en Luci 0.26.0 crea /var/lib/luci/etc/luci.ini con permisos de escritura antes de restringir los permisos, lo que permite a usuarios locales leer archivos y obtener información sensible, tal como los "secretos de autenticación". A flaw was found in ... • http://rhn.redhat.com/errata/RHSA-2013-1603.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2013-4482 – luci: paster hidden untrusted path and "command" (callable association) injection
https://notcve.org/view.php?id=CVE-2013-4482
21 Nov 2013 — Untrusted search path vulnerability in python-paste-script (aka paster) in Luci 0.26.0, when started using the initscript, allows local users to gain privileges via a Trojan horse .egg-info file in the (1) current working directory or (2) its parent directories. Vulnerabilidad de ruta de búsqueda no confiable en python-paste-script (también conocido como paster) en Luci 0.26.0, cuando se comienza a usar el initscript, permite a usuarios locales obtener privilegios a través de un caballo de troya en el archi... • http://rhn.redhat.com/errata/RHSA-2013-1603.html •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2010-3852
https://notcve.org/view.php?id=CVE-2010-3852
05 Nov 2010 — The default configuration of Luci 0.22.4 and earlier in Red Hat Conga uses "[INSERT SECRET HERE]" as its secret key for cookies, which makes it easier for remote attackers to bypass repoze.who authentication via a forged ticket cookie. La configuración por defecto de Luci v0.22.4 y anteriores en Red Hat Conga utiliza "[INSERT SECRET HERE]" como su clave secreta para las cookies, lo que facilita a los atacantes remotos el saltarse la autenticación a través de una cookie repoze.who falsificada. • http://git.fedorahosted.org/git/?p=luci.git%3Ba=commit%3Bh=9e0bbf0c5faa198379d945474f7d55da5031cacf • CWE-287: Improper Authentication •