Security Advisory 2021-08-01-2 - Stored XSS in hostname UCI variable (CVE-2021-33425)

DESCRIPTION
Multiple OpenWrt LuCI templates, including the one shipped by default, integrated the content of the UCI hostname variable without stripping it from malicious JavaScript. This allowed an attacker, which can control the content of the UCI hostname variable, to inject a arbitrary JavaScript into LuCI.

The following LuCI packages were affected:

• luci-theme-bootstrap

• luci-theme-material

• luci-theme-openwrt

REQUIREMENTS
The attacker needs permission to change the UCI hostname variable. Normally only the root user is allowed to do this. In a normal OpenWrt installation such a user would already be allowed to do arbitrary changes to LuCI including changing the LuCI templates.

An attacker has to store a malicious hostname like this:

$ uci set system.@system[0].hostname='<script>alert("XSS")</script>'
$ uci commit

AFFECTED VERSIONS
To our knowledge, OpenWrt version 19.07.0 to 19.07.7 are affected. The fixed packages will be integrated in the upcoming OpenWrt 19.07.8 and OpenWrt 21.02.0 release. Older versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

CREDITS
This issue was identified by Рома Шагун.