CVE-2020-11963

CVE-2020-11963 affects IQrouter up to firmware 3.3.1. When the device is unconfigured, the web-panel is vulnerable to Bash Shell Metacharacter Injection leading to remote code execution and potential root privileges. Documented impact includes multiple RCE vectors in the web-panel; exploitation r...

PT-2020-12954 · Linux +3 · Linux +3

Name of the Vulnerable Software and Affected Versions: IQrouter versions prior to 3.3.1 Description: The issue is related to Bash Shell Metacharacter Injection, which leads to multiple remote code execution vulnerabilities in the web-panel of IQrouter when it is unconfigured. This issue is not...

CVE-2020-11968

In the web-panel in IQrouter through 3.3.1, remote attackers can read system logs because of Incorrect Access Control. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration which has a required step for settin...

CVE-2020-11967

In IQrouter through 3.3.1, remote attackers can control the device restart network, reboot, upgrade, reset because of Incorrect Access Control. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration which has a...

PT-2020-12956 · Openwrt +1 · Openwrt +1

Name of the Vulnerable Software and Affected Versions: IQrouter versions 3.3.1 and earlier Description: The issue allows attackers to gain full remote access via SSH due to a root user without a password. This can occur on a brand-new network that has not been configured, specifically after...

CVE-2020-11964

In IQrouter through 3.3.1, the Lua function diagsetpassword in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration which has a...

PT-2020-12959 · Openwrt +1 · Openwrt +1

Name of the Vulnerable Software and Affected Versions: IQrouter versions through 3.3.1 Description: The issue allows remote attackers to read system logs due to Incorrect Access Control in the web-panel. This can occur on a brand-new network before the initial configuration is completed, includin...

Critical RCE Bug Affects Millions of OpenWrt-based Network Devices

A cybersecurity researcher today disclosed technical details and proof-of-concept of a critical remote code execution vulnerability affecting OpenWrt , a widely used Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic. Tracked as...

Critical RCE Bug Affects Millions of OpenWrt-based Network Devices

A cybersecurity researcher today disclosed technical details and proof-of-concept of a critical remote code execution vulnerability affecting OpenWrt, a widely used Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic. Tracked as...

OpenWrt LuCI Information Disclosure Vulnerability

OpenWrt LuCI is a graphical configuration interface for OpenWrt Linux distribution. An information disclosure vulnerability exists in the OpenWrt LuCI git-20.x version, which can be exploited by remote attackers to retrieve a list of installed packages and services...

CVE-2020-10871

In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other more complex ways...

CVE-2020-10871

In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other more complex ways...

Information disclosure

In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other more complex ways...

CVE-2020-10871

In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other more complex ways...

CVE-2020-10871

OpenWrt LuCI git-20.x contains an information disclosure vulnerability: remote, unauthenticated attackers can retrieve the list of installed packages and services. The vendor disputes the severity, noting the information is publicly obtainable by unauthenticated actors via other methods, and ther...

PT-2020-12389 · Openwrt · Openwrt Luci

Name of the Vulnerable Software and Affected Versions: OpenWrt LuCI versions git-20.x Description: The issue allows remote unauthenticated attackers to retrieve the list of installed packages and services. The vendor disputes the significance of this report, stating that the same information is...

OpenWrt Injection Vulnerability

OpenWrt is a Linux operating system for embedded devices. An injection vulnerability exists in the package list parsing logic of OpenWrt's opkg fork. An attacker can exploit this vulnerability by performing a man-in-the-middle attack to inject arbitrary code...

OpenWrt uhttpd Buffer Overflow Vulnerability

OpenWrt is a Linux operating system for embedded devices. uhttpd is one of the HTTP services. A buffer overflow vulnerability exists in uhttpd in OpenWrt versions 18.06.5 and earlier and versions 19.x through 19.07.0-rc2. The vulnerability originates when a network system or product performs an...

OpenWrt libubox buffer overflow vulnerability

OpenWrt is a Linux operating system for embedded devices. libubox is one of the basic libraries that provides event loops, binary format processing, Linux chain table implementation and JSON auxiliary processing. A buffer overflow vulnerability exists in libubox in OpenWrt versions prior to 18.06...

CVE-2020-7982

An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary...