Vulnerabilities > Openwrt > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-01-26 | CVE-2019-25015 | Cross-site Scripting vulnerability in Openwrt LuCI in OpenWrt 18.06.0 through 18.06.4 allows stored XSS via a crafted SSID. | 5.4 |
2020-03-23 | CVE-2020-10871 | Information Exposure vulnerability in Openwrt Luci Git20.049.11521Bebfe20/Git20.078.229020Ed0D42 In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. | 5.3 |
2019-12-03 | CVE-2019-18993 | Cross-site Scripting vulnerability in Openwrt 18.06.4 OpenWrt 18.06.4 allows XSS via the "New port forward" Name field to the cgi-bin/luci/admin/network/firewall/forwards URI (this can occur, for example, on a TP-Link Archer C7 device). | 5.4 |
2019-12-03 | CVE-2019-18992 | Cross-site Scripting vulnerability in Openwrt 18.06.4 OpenWrt 18.06.4 allows XSS via these Name fields to the cgi-bin/luci/admin/network/firewall/rules URI: "Open ports on router" and "New forward rule" and "New Source NAT" (this can occur, for example, on a TP-Link Archer C7 device). | 5.4 |
2019-11-18 | CVE-2019-5102 | Improper Certificate Validation vulnerability in Openwrt 15.05.1/18.06.4 An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. | 5.9 |
2019-11-18 | CVE-2019-5101 | Improper Certificate Validation vulnerability in Openwrt 15.05.1/18.06.4 An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. | 5.9 |
2019-10-18 | CVE-2019-17367 | Cross-Site Request Forgery (CSRF) vulnerability in Openwrt 18 OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/. | 6.8 |
2018-11-28 | CVE-2018-19630 | Cross-site Scripting vulnerability in Openwrt Lede and Openwrt cgi_handle_request in uhttpd in OpenWrt through 18.06.1 and LEDE through 17.01 has unauthenticated reflected XSS via the URI, as demonstrated by a cgi-bin/?[XSS] URI. | 4.3 |