LEDE security vulnerabilities

LEDE is a router firmware developed by Coolsnowwolf’s individual developer. Versions of LEDE such as r25.10.1 and earlier contained security vulnerabilities. These vulnerabilities stemmed from an infinite loop in the Wi-Fi driver component bnlib.C, which could lead to a denial-of-service attack...

EUVD-2020-28898

Malware in sbrugna...

EUVD-2018-11315

Malware in sbrugna...

CVE-2020-7982

An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary...

CVE-2020-7982

An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary...

Design/Logic Flaw

An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary...

CVE-2020-7982

An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary...

CVE-2020-7982

OpenWrt/OpenWrt-derived builds are affected by CVE-2020-7982. A bug in the opkg package manager fork (before 2020-01-25) misparses embedded checksums in the signed repository index, enabling a man-in-the-middle attacker to inject arbitrary package payloads that are installed without verification....

PT-2020-19897 · Openwrt +1 · Openwrt +2

Name of the Vulnerable Software and Affected Versions: OpenWrt versions 18.06.0 through 18.06.6 OpenWrt version 19.07.0 LEDE versions 17.01.0 through 17.01.7 Description: A bug in the fork of the opkg package manager prevents correct parsing of embedded checksums in the signed repository index,...

OpenWrt and LEDE Cross-Site Scripting Vulnerabilities

Both OpenWrt and LEDE are Linux operating systems for embedded devices. The systems are capable of providing fully writable file systems and package management. A cross-site scripting vulnerability exists in the 'cgihandlerequest' function in OpenWrt versions 18.06.1 and earlier and LEDE versions...

Cross site scripting

cgihandlerequest in uhttpd in OpenWrt through 18.06.1 and LEDE through 17.01 has unauthenticated reflected XSS via the URI, as demonstrated by a cgi-bin/?XSS URI...

CVE-2018-19630

cgihandlerequest in uhttpd in OpenWrt through 18.06.1 and LEDE through 17.01 has unauthenticated reflected XSS via the URI, as demonstrated by a cgi-bin/?XSS URI...

CVE-2018-19630

The vulnerability CVE-2018-19630 affects OpenWrt up to 18.06.1 and LEDE up to 17.01, where the uhttpd component’s cgi_handle_request is vulnerable to unauthenticated reflected XSS via the request URI (demonstrated with cgi-bin/?[XSS]). The issue is triggered by crafted URI input and allows a refl...

CVE-2018-19630

cgihandlerequest in uhttpd in OpenWrt through 18.06.1 and LEDE through 17.01 has unauthenticated reflected XSS via the URI, as demonstrated by a cgi-bin/?XSS URI...