4 matches found
CVE-2021-38113
OpenWebif (aka e2openplugin-OpenWebif)
CVE-2017-9807
OpenWebif plugin for E2 open devices (versions up to 1.2.4) is affected. The saveConfig function in plugin/controllers/models/config.py evaluates the HTTP GET parameter key, enabling unauthenticated remote code execution via /api/saveconfig. Some devices run the plugin with root privileges (e.g.,...
CVE-2017-9333
OpenWebif 1.2.5 is vulnerable to remote code execution via the CallOPKG function in the IpkgController class (plugin/controllers/ipkg.py) when an attacker-controlled URL references a Trojan horse package. The issue arises if untrusted users can trigger CallOPKG calls and can enter arbitrary URLs ...
CVE-2018-20332
CVE-2018-20332 affects the OpenWebif plugin (versions up to 1.2.4) on Enigma2-based devices. The issue enables reading of arbitrary files and listing of arbitrary directories via /file?action=download&file=... and /file?action=download&dir=..., related to plugin/controllers/file.py in the e2openp...