CVE-2023-3085 – X-WRT luci 404 Error Template dispatcher.uc run_action cross site scripting
https://notcve.org/view.php?id=CVE-2023-3085
A vulnerability, which was classified as problematic, has been found in X-WRT luci up to 22.10_b202303061504. This issue affects the function run_action of the file modules/luci-base/ucode/dispatcher.uc of the component 404 Error Template Handler. The manipulation of the argument request_path leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 22.10_b202303121313 is able to address this issue. • https://github.com/x-wrt/luci/commit/24d7da2416b9ab246825c33c213fe939a89b369c https://github.com/x-wrt/luci/releases/tag/22.10_b202303121313 https://vuldb.com/?ctiid.230663 https://vuldb.com/?id.230663 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-24181
https://notcve.org/view.php?id=CVE-2023-24181
LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm. • https://github.com/ABB-EL/external-vulnerability-disclosures/security/advisories/GHSA-9gqg-pp5p-q9hg https://github.com/openwrt/luci/commit/25983b9fa572a640a7ecd077378df2790266cd61 https://github.com/openwrt/luci/commit/749268a2cad4a08722e30f66a578e254885f450f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-27821
https://notcve.org/view.php?id=CVE-2021-27821
The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution. Se ha detectado que la Interfaz Web para OpenWRT LuCI versión 19.07 y anteriores presenta una vulnerabilidad de tipo cross-site scripting que puede conllevar a que los atacantes ejecuten código arbitrario • http://openwrt.com http://openwrtorg.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-12272
https://notcve.org/view.php?id=CVE-2019-12272
In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability. En OpenWrt LuCI hasta versión 0.10, los endpoints admin/status/realtime/bandwidth_status y admin/status/realtime/wireless_status de la aplicación web se ven afectados por una vulnerabilidad de inyección de comandos. • https://github.com/openwrt/luci/commit/9e4b8a91384562e3baee724a52b72e30b1aa006d https://github.com/openwrt/luci/commits/master • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2014-3593 – luci: privilege escalation through cluster with specially crafted configuration
https://notcve.org/view.php?id=CVE-2014-3593
Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration. Vulnerabilidad de inyección Eval en luci 0.26.0 permite a usuarios remotos autenticados con ciertos permisos, ejecutar código Python arbitrario a través de la manipulación del configuración del cluster. It was discovered that luci used eval() on inputs containing strings from the cluster configuration file when generating its web pages. An attacker with privileges to create or edit the cluster configuration could use this flaw to execute arbitrary code as the luci user on a host running luci. • http://rhn.redhat.com/errata/RHSA-2014-1390.html https://bugzilla.redhat.com/show_bug.cgi?id=989005 https://access.redhat.com/security/cve/CVE-2014-3593 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •