PT-2019-15743 · Openwrt+1 · Openwrt+1
Published
2019-12-03
·
Updated
2023-05-24
·
CVE-2019-18992
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
OpenWrt version 18.06.4
Description
The issue allows for XSS via the
Name fields in the /cgi-bin/luci/admin/network/firewall/rules API endpoint, specifically in the "Open ports on router", "New forward rule", and "New Source NAT" fields. This can be exploited on devices such as the TP-Link Archer C7.Recommendations
For OpenWrt version 18.06.4, avoid using the
Name fields in the affected API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the /cgi-bin/luci/admin/network/firewall/rules API endpoint to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openwrt
Tp-Link Archer C7