Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
A vulnerability, which was classified as problematic, has been found in X-WRT luci up to 22.10_b202303061504. This issue affects the function run_action of the file modules/luci-base/ucode/dispatcher.uc of the component 404 Error Template Handler. The manipulation of the argument request_path leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 22.10_b202303121313 is able to address this issue. The patch is named 24d7da2416b9ab246825c33c213fe939a89b369c. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-230663.
AnalysisAI
A vulnerability, which was classified as problematic, has been found in X-WRT luci up to 22.10_b202303061504.uc of the component 404 Error Template Handler. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A vulnerability, which was classified as problematic, has been found in X-WRT luci up to 22.10_b202303061504.uc of the component 404 Error Template Handler. The manipulation of the argument request_path leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 22.10_b202303121313 is able to address this issue. The patch is named 24d7da2416b9ab246825c33c213fe939a89b369c. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-230663. Affected products include: X-Wrt Luci. Version information: up to 22.10.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_st
Stored cross-site scripting in OpenWrt's LuCI web interface lets an adjacent-network attacker inject executable HTML/Jav
LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vuln
OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerabilit
In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. Rat
Root command injection in OpenWrt's LuCI web interface (luci-proto-openvpn through 0.11.1) lets an authenticated user wi
Ban-list poisoning in OpenWrt's luci-app-banip (banIP) before 1.8.10 lets an unauthenticated remote attacker steer the a
Stored cross-site scripting in OpenWrt's luci-app-upnp lets an unauthenticated LAN client persist a JavaScript payload t
Privilege escalation to root in OpenWrt's luci-app-samba4 (LuCI web interface) lets authenticated delegated users invoke
A stored cross-site scripting (XSS) vulnerability exists in the OpenWrt LuCI web interface where malicious JavaScript co
Authenticated root command injection in the OpenWrt LuCI community Tailscale app (luci-app-tailscale-community) lets a l
The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerabil
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today