CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3085 – X-WRT luci 404 Error Template dispatcher.uc run_action cross site scripting
https://notcve.org/view.php?id=CVE-2023-3085
03 Jun 2023 — A vulnerability, which was classified as problematic, has been found in X-WRT luci up to 22.10_b202303061504. This issue affects the function run_action of the file modules/luci-base/ucode/dispatcher.uc of the component 404 Error Template Handler. The manipulation of the argument request_path leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 22.10_b202303121313 is able to address this issue. • https://github.com/x-wrt/luci/commit/24d7da2416b9ab246825c33c213fe939a89b369c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 2CVE-2020-10871
https://notcve.org/view.php?id=CVE-2020-10871
23 Mar 2020 — In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other (more complex) ways, and there is no plan to restrict the information further **EN DISPUTA** En OpenWrt LuCI versiones git-20.x, unos atacantes no autenticados remotos pueden recuperar la lista de paquetes y servicios instalados. NO... • https://github.com/openwrt/luci/issues/3563#issuecomment-578522860 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •