Openwrt: >> Openwrt Security Vulnerabilities
OpenWrt 21.02.1 allows XSS via the Port Forwards Add Name screen.
CVSS Score
5.4
EPSS Score
0.005
Published
2021-12-27
OpenWrt 21.02.1 allows XSS via the Traffic Rules Name screen.
CVSS Score
5.4
EPSS Score
0.005
Published
2021-12-27
OpenWrt 21.02.1 allows XSS via the NAT Rules Name screen.
CVSS Score
5.4
EPSS Score
0.005
Published
2021-12-27
There is missing input validation of host names displayed in OpenWrt before 19.07.8. The Connection Status page of the luci web-interface allows XSS, which can be used to gain full control over the affected system via ICMP.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-08-02
A stored cross-site scripting (XSS) vulnerability was discovered in the Web Interface for OpenWRT LuCI version 19.07 which allows attackers to inject arbitrary Javascript in the OpenWRT Hostname via the Hostname Change operation.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-05-25
applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua in the DDNS package for OpenWrt 19.07 allows remote authenticated users to inject arbitrary commands via POST requests.
CVSS Score
8.8
EPSS Score
0.011
Published
2021-03-21
In OpenWrt 19.07.x before 19.07.7, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router. This occurs when a link prefix route points to a point-to-point link, a destination IPv6 address belongs to the prefix and is not a local IPv6 address, and a router advertisement is received with at least one global unique IPv6 prefix for which the on-link flag is set. This affects the netifd and odhcp6c packages.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-02-07
LuCI in OpenWrt 18.06.0 through 18.06.4 allows stored XSS via a crafted SSID.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-01-26
libuci in OpenWrt before 18.06.9 and 19.x before 19.07.5 may encounter a use after free when using malicious package names. This is related to uci_parse_package in file.c and uci_strdup in util.c.
CVSS Score
9.8
EPSS Score
0.005
Published
2020-11-19
An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary package payloads (which are installed without verification).
CVSS Score
8.1
EPSS Score
0.044
Published
2020-03-16