EUVD-2021-15610

Malware in sbrugna...

Security Advisory 2021-08-01-3 - luci-app-ddns: Multiple authenticated RCEs (CVE-2021-28961)

DESCRIPTION An authenticated user in LuCI is able to inject shell code in luci-app-ddns. Multiple variables in the luci-app-ddns applications where not validated before they were executed on the system's shell, which could be exploited by adding system shell commands. REQUIREMENTS To exploit this...

CVE-2021-28961

applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua in the DDNS package for OpenWrt 19.07 allows remote authenticated users to inject arbitrary commands via POST requests...

CVE-2021-22161

In OpenWrt 19.07.x before 19.07.7, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router. This occurs when a link prefix route points to a point-to-point link, a destination IPv6 address belongs to the prefix...

CVE-2020-7982

An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary...