Borjmz

**Name of the Vulnerable Software and Affected Versions** OpenWebif version 1.2.5 **Description** The issue allows remote code execution via a URL to the `CallOPKG` function in the `IpkgController` class in `plugin/controllers/ipkg.py`. This occurs when the URL refers to an attacker-controlled web site with a Trojan horse package. The threat model is relevant in cases where untrusted users can trigger `CallOPKG` calls and enter an arbitrary URL in an input field intended for a package name. This may be relevant in the latest versions of third-party products that bundle OpenWebif, such as set-top box products. **Recommendations** For OpenWebif version 1.2.5, consider restricting access to the `CallOPKG` function in the `IpkgController` class to prevent remote code execution via malicious URLs. As a temporary workaround, restrict the input field to only accept package names and prevent users from entering arbitrary URLs.