RSS   Vulnerabilities for 'Openwrt'   RSS

2021-12-27
 
CVE-2021-45904

CWE-79
 

 
OpenWrt 21.02.1 allows XSS via the Port Forwards Add Name screen.

 
 
CVE-2021-45905

CWE-79
 

 
OpenWrt 21.02.1 allows XSS via the Traffic Rules Name screen.

 
 
CVE-2021-45906

CWE-79
 

 
OpenWrt 21.02.1 allows XSS via the NAT Rules Name screen.

 
2021-03-21
 
CVE-2021-28961

CWE-77
 

 
applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua in the DDNS package for OpenWrt 19.07 allows remote authenticated users to inject arbitrary commands via POST requests.

 
2021-02-07
 
CVE-2021-22161

CWE-835
 

 
In OpenWrt 19.07.x before 19.07.7, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router. This occurs when a link prefix route points to a point-to-point link, a destination IPv6 address belongs to the prefix and is not a local IPv6 address, and a router advertisement is received with at least one global unique IPv6 prefix for which the on-link flag is set. This affects the netifd and odhcp6c packages.

 
2021-01-26
 
CVE-2019-25015

CWE-79
 

 
LuCI in OpenWrt 18.06.0 through 18.06.4 allows stored XSS via a crafted SSID.

 
2020-03-16
 
CVE-2020-7982

CWE-74
 

 
An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary package payloads (which are installed without verification).

 
 
CVE-2020-7248

CWE-787
 

 
libubox in OpenWrt before 18.06.7 and 19.x before 19.07.1 has a tagged binary data JSON serialization vulnerability that may cause a stack based buffer overflow.

 
 
CVE-2019-19945

CWE-119
 

 
uhttpd in OpenWrt through 18.06.5 and 19.x through 19.07.0-rc2 has an integer signedness error. This leads to out-of-bounds access to a heap buffer and a subsequent crash. It can be triggered with an HTTP POST request to a CGI script, specifying both "Transfer-Encoding: chunked" and a large negative Content-Length value.

 
2019-12-03
 
CVE-2019-18993

CWE-79
 

 
OpenWrt 18.06.4 allows XSS via the "New port forward" Name field to the cgi-bin/luci/admin/network/firewall/forwards URI (this can occur, for example, on a TP-Link Archer C7 device).

 


Copyright 2022, cxsecurity.com

 

Back to Top