CVE-2019-15513

An issue was discovered in OpenWrt libuci aka Library for the Unified Configuration Interface before 15.05.1 as used on Motorola CX2L MWR04L 1.01 and C1 MWR03 1.01 devices. /tmp/.uci/network locking is mishandled after reception of a long SetWanSettings command, leading to a device hang...

CVE-2019-15513

An issue was discovered in OpenWrt libuci aka Library for the Unified Configuration Interface before 15.05.1 as used on Motorola CX2L MWR04L 1.01 and C1 MWR03 1.01 devices. /tmp/.uci/network locking is mishandled after reception of a long SetWanSettings command, leading to a device hang...

Command injection

An issue was discovered in OpenWrt libuci aka Library for the Unified Configuration Interface before 15.05.1 as used on Motorola CX2L MWR04L 1.01 and C1 MWR03 1.01 devices. /tmp/.uci/network locking is mishandled after reception of a long SetWanSettings command, leading to a device hang...

CVE-2019-15513

An issue was discovered in OpenWrt libuci aka Library for the Unified Configuration Interface before 15.05.1 as used on Motorola CX2L MWR04L 1.01 and C1 MWR03 1.01 devices. /tmp/.uci/network locking is mishandled after reception of a long SetWanSettings command, leading to a device hang...

CVE-2019-15513

CVE-2019-15513: OpenWrt libuci before 15.05.1 has a locking issue in /tmp/.uci/network that is mishandled after a long SetWanSettings command, causing device hangs on Motorola CX2L MWR04L 1.01 and C1 MWR03 1.01. The issue is tied to the Unified Configuration Interface library, impacting devices u...

CVE-2017-9385

An issue was discovered on Vera Veralite 1.7.481 devices. The device has an additional OpenWRT interface in addition to the standard web interface which allows the highest privileges a user can obtain on the device. This web interface uses root as the username and the password in the...

Directory traversal

An issue was discovered on Vera Veralite 1.7.481 devices. The device has an additional OpenWRT interface in addition to the standard web interface which allows the highest privileges a user can obtain on the device. This web interface uses root as the username and the password in the...

CVE-2017-9385

CVE-2017-9385 affects Vera Veralite 1.7.481 devices. An extra OpenWRT interface alongside the standard web UI allows highest-privilege access after an attacker exploits a directory traversal to extract the root password from /etc/cmh/cmh.conf, enabling login with root-equivalent privileges. Docum...

CVE-2017-9385

An issue was discovered on Vera Veralite 1.7.481 devices. The device has an additional OpenWRT interface in addition to the standard web interface which allows the highest privileges a user can obtain on the device. This web interface uses root as the username and the password in the...

CVE-2019-12272

In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidthstatus and admin/status/realtime/wirelessstatus of the web application are affected by a command injection vulnerability...

CVE-2019-12272

In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidthstatus and admin/status/realtime/wirelessstatus of the web application are affected by a command injection vulnerability...

Command injection

In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidthstatus and admin/status/realtime/wirelessstatus of the web application are affected by a command injection vulnerability...

CVE-2019-12272

In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidthstatus and admin/status/realtime/wirelessstatus of the web application are affected by a command injection vulnerability...

CVE-2019-12272

CVE-2019-12272 affects OpenWrt LuCI prior to 0.10. The web application endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status are affected by a command injection vulnerability. The connected documents confirm the issue but do not provide details on exploit vect...

OpenWrt LuCI Input Validation Vulnerability

OpenWrt LuCI is a graphical configuration interface for OpenWrt. An input validation vulnerability exists in OpenWrt LuCI admin/status/realtime/bandwidthstatus and admin/status/realtime/wirelessstatus, which could be exploited by remote attackers to submit a special request that could execute...

Bitdefender BOX 2 bootstrap download_image command injection vulnerability

Summary An exploitable command injection vulnerability exists in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method /api/downloadimage unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands...

Bitdefender BOX 2 bootstrap update_setup command execution vulnerability

Summary An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method /api/updatesetup does not perform firmware signature checks atomically, leading to an exploitable race condition TOCTTOU that allows arbitrary execution o...

OpenWrt and LEDE Cross-Site Scripting Vulnerabilities

Both OpenWrt and LEDE are Linux operating systems for embedded devices. The systems are capable of providing fully writable file systems and package management. A cross-site scripting vulnerability exists in the 'cgihandlerequest' function in OpenWrt versions 18.06.1 and earlier and LEDE versions...

CVE-2018-19630

cgihandlerequest in uhttpd in OpenWrt through 18.06.1 and LEDE through 17.01 has unauthenticated reflected XSS via the URI, as demonstrated by a cgi-bin/?XSS URI...

CVE-2018-19630

cgihandlerequest in uhttpd in OpenWrt through 18.06.1 and LEDE through 17.01 has unauthenticated reflected XSS via the URI, as demonstrated by a cgi-bin/?XSS URI...