Filtered by vendor Openwrt
Subscribe
Total
36 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-10871 | 1 Openwrt | 1 Luci | 2024-05-14 | 5.0 MEDIUM | 5.3 MEDIUM |
** DISPUTED ** In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other (more complex) ways, and there is no plan to restrict the information further. | |||||
CVE-2018-11116 | 1 Openwrt | 1 Openwrt | 2024-05-14 | 6.5 MEDIUM | 8.8 HIGH |
** DISPUTED ** OpenWrt mishandles access control in /etc/config/rpcd and the /usr/share/rpcd/acl.d files, which allows remote authenticated users to call arbitrary methods (i.e., achieve ubus access over HTTP) that were only supposed to be accessible to a specific user, as demonstrated by the file, log, and service namespaces, potentially leading to remote Information Disclosure or Code Execution. NOTE: The developer disputes this as a vulnerability, indicating that rpcd functions appropriately. | |||||
CVE-2024-20006 | 4 Google, Mediatek, Openwrt and 1 more | 8 Android, Mt2713, Mt6781 and 5 more | 2024-02-09 | N/A | 6.7 MEDIUM |
In da, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08477148; Issue ID: ALPS08477148. | |||||
CVE-2023-32855 | 5 Google, Linuxfoundation, Mediatek and 2 more | 36 Android, Yocto, Mt2735 and 33 more | 2024-02-05 | N/A | 6.7 MEDIUM |
In aee, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07909204; Issue ID: ALPS07909204. | |||||
CVE-2023-20790 | 5 Google, Linuxfoundation, Mediatek and 2 more | 68 Android, Yocto, Mt2713 and 65 more | 2024-02-05 | N/A | 4.4 MEDIUM |
In nvram, there is a possible out of bounds write due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07740194; Issue ID: ALPS07740194. | |||||
CVE-2023-20796 | 5 Google, Linuxfoundation, Mediatek and 2 more | 28 Android, Yocto, Mt2735 and 25 more | 2024-02-05 | N/A | 4.4 MEDIUM |
In power, there is a possible memory corruption due to an incorrect bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07929790; Issue ID: ALPS07929790. | |||||
CVE-2023-20694 | 3 Google, Mediatek, Openwrt | 43 Android, Mt6580, Mt6739 and 40 more | 2024-02-04 | N/A | 6.7 MEDIUM |
In preloader, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07733998 / ALPS07874388 (For MT6880 and MT6890 only); Issue ID: ALPS07733998 / ALPS07874388 (For MT6880 and MT6890 only). | |||||
CVE-2023-24182 | 1 Openwrt | 1 Openwrt | 2024-02-04 | N/A | 5.4 MEDIUM |
LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component /system/sshkeys.js. | |||||
CVE-2023-20725 | 4 Google, Mediatek, Openwrt and 1 more | 41 Android, Mt6580, Mt6739 and 38 more | 2024-02-04 | N/A | 6.7 MEDIUM |
In preloader, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07734004 / ALPS07874358 (For MT6880, MT6890, MT6980, MT6990 only); Issue ID: ALPS07734004 / ALPS07874358 (For MT6880, MT6890, MT6980, MT6990 only). | |||||
CVE-2023-20775 | 3 Google, Mediatek, Openwrt | 38 Android, Mt6739, Mt6757 and 35 more | 2024-02-04 | N/A | 6.7 MEDIUM |
In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07978760; Issue ID: ALPS07363410. | |||||
CVE-2023-20695 | 3 Google, Mediatek, Openwrt | 31 Android, Mt6835, Mt6880 and 28 more | 2024-02-04 | N/A | 6.7 MEDIUM |
In preloader, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07734012 / ALPS07874363 (For MT6880, MT6890, MT6980 and MT6990 only); Issue ID: ALPS07734012 / ALPS07874363 (For MT6880, MT6890, MT6980 and MT6990 only). | |||||
CVE-2023-20726 | 5 Google, Linuxfoundation, Mediatek and 2 more | 63 Android, Yocto, Mt2731 and 60 more | 2024-02-04 | N/A | 3.3 LOW |
In mnld, there is a possible leak of GPS location due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07735968 / ALPS07884552 (For MT6880, MT6890, MT6980, MT6980D and MT6990 only); Issue ID: ALPS07735968 / ALPS07884552 (For MT6880, MT6890, MT6980, MT6980D and MT6990 only). | |||||
CVE-2023-20696 | 3 Google, Mediatek, Openwrt | 26 Android, Mt6880, Mt6890 and 23 more | 2024-02-04 | N/A | 6.7 MEDIUM |
In preloader, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07856356 / ALPS07874388 (For MT6880 and MT6890 only); Issue ID: ALPS07856356 / ALPS07874388 (For MT6880 and MT6890 only). | |||||
CVE-2022-41435 | 1 Openwrt | 1 Luci | 2024-02-04 | N/A | 5.4 MEDIUM |
OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted public key comments. | |||||
CVE-2022-38333 | 1 Openwrt | 1 Openwrt | 2024-02-04 | N/A | 7.5 HIGH |
Openwrt before v21.02.3 and Openwrt v22.03.0-rc6 were discovered to contain two skip loops in the function header_value(). This vulnerability allows attackers to access sensitive information via a crafted HTTP request. | |||||
CVE-2021-45904 | 1 Openwrt | 1 Openwrt | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
OpenWrt 21.02.1 allows XSS via the Port Forwards Add Name screen. | |||||
CVE-2021-45906 | 1 Openwrt | 1 Openwrt | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
OpenWrt 21.02.1 allows XSS via the NAT Rules Name screen. | |||||
CVE-2021-45905 | 1 Openwrt | 1 Openwrt | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
OpenWrt 21.02.1 allows XSS via the Traffic Rules Name screen. | |||||
CVE-2021-32019 | 1 Openwrt | 1 Openwrt | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
There is missing input validation of host names displayed in OpenWrt before 19.07.8. The Connection Status page of the luci web-interface allows XSS, which can be used to gain full control over the affected system via ICMP. | |||||
CVE-2021-27821 | 1 Openwrt | 1 Luci | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution. |