Vulnerabilities > Openwrt
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-03-16 | CVE-2019-19945 | Incorrect Conversion between Numeric Types vulnerability in Openwrt uhttpd in OpenWrt through 18.06.5 and 19.x through 19.07.0-rc2 has an integer signedness error. | 7.5 |
| 2019-12-03 | CVE-2019-18993 | Cross-site Scripting vulnerability in Openwrt 18.06.4 OpenWrt 18.06.4 allows XSS via the "New port forward" Name field to the cgi-bin/luci/admin/network/firewall/forwards URI (this can occur, for example, on a TP-Link Archer C7 device). | 5.4 |
| 2019-12-03 | CVE-2019-18992 | Cross-site Scripting vulnerability in Openwrt 18.06.4 OpenWrt 18.06.4 allows XSS via these Name fields to the cgi-bin/luci/admin/network/firewall/rules URI: "Open ports on router" and "New forward rule" and "New Source NAT" (this can occur, for example, on a TP-Link Archer C7 device). | 5.4 |
| 2019-11-18 | CVE-2019-5102 | Improper Certificate Validation vulnerability in Openwrt 15.05.1/18.06.4 An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. | 5.9 |
| 2019-11-18 | CVE-2019-5101 | Improper Certificate Validation vulnerability in Openwrt 15.05.1/18.06.4 An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. | 5.9 |
| 2019-10-18 | CVE-2019-17367 | Cross-Site Request Forgery (CSRF) vulnerability in Openwrt 18 OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/. | 8.8 |
| 2019-08-23 | CVE-2019-15513 | Improper Locking vulnerability in multiple products An issue was discovered in OpenWrt libuci (aka Library for the Unified Configuration Interface) before 15.05.1 as used on Motorola CX2L MWR04L 1.01 and C1 MWR03 1.01 devices. | 7.5 |
| 2019-05-23 | CVE-2019-12272 | OS Command Injection vulnerability in Openwrt Luci In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability. | 9.8 |
| 2018-11-28 | CVE-2018-19630 | Cross-site Scripting vulnerability in Openwrt Lede and Openwrt cgi_handle_request in uhttpd in OpenWrt through 18.06.1 and LEDE through 17.01 has unauthenticated reflected XSS via the URI, as demonstrated by a cgi-bin/?[XSS] URI. | 6.1 |
| 2018-06-19 | CVE-2018-11116 | Incorrect Permission Assignment for Critical Resource vulnerability in Openwrt OpenWrt mishandles access control in /etc/config/rpcd and the /usr/share/rpcd/acl.d files, which allows remote authenticated users to call arbitrary methods (i.e., achieve ubus access over HTTP) that were only supposed to be accessible to a specific user, as demonstrated by the file, log, and service namespaces, potentially leading to remote Information Disclosure or Code Execution. | 8.8 |