openwrt/luci on GitHub
LuCI - OpenWrt Configuration Interface
CVE History
| CVE | Published | CVSS v2 | CVSS v3 |
|---|---|---|---|
| CVE-2023-24182 | 5.4 MEDIUM | N/A | |
| LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component /system/sshkeys.js. | |||
| CVE-2023-24181 | 5.4 MEDIUM | N/A | |
| LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm. | |||
| CVE-2022-41435 | 5.4 MEDIUM | N/A | |
| OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted public key comments. | |||
| CVE-2021-28961 | 8.8 HIGH | 6.5 MEDIUM | |
| applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua in the DDNS package for OpenWrt 19.07 allows remote authenticated users to inject arbitrary commands via POST requests. | |||
| CVE-2019-25015 | 5.4 MEDIUM | 3.5 LOW | |
| LuCI in OpenWrt 18.06.0 through 18.06.4 allows stored XSS via a crafted SSID. | |||
| CVE-2020-10871 | 5.3 MEDIUM | 5 MEDIUM | |
| In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other (more complex) ways, and there is no plan to restrict the information further | |||
| CVE-2019-18992 | 5.4 MEDIUM | 3.5 LOW | |
| OpenWrt 18.06.4 allows XSS via these Name fields to the cgi-bin/luci/admin/network/firewall/rules URI: "Open ports on router" and "New forward rule" and "New Source NAT" (this can occur, for example, on a TP-Link Archer C7 device). | |||
| CVE-2019-18993 | 5.4 MEDIUM | 3.5 LOW | |
| OpenWrt 18.06.4 allows XSS via the "New port forward" Name field to the cgi-bin/luci/admin/network/firewall/forwards URI (this can occur, for example, on a TP-Link Archer C7 device). | |||
| CVE-2019-17367 | 8.8 HIGH | 6.8 MEDIUM | |
| OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/. | |||
| CVE-2019-12272 | 9.8 CRITICAL | 7.5 HIGH | |
| In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability. | |||