PT-2019-15744 · Openwrt+1 · Openwrt+1
Published
2019-12-03
·
Updated
2023-05-24
·
CVE-2019-18993
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
OpenWrt version 18.06.4
Description
The issue allows for XSS via the "New port forward" Name field to the "cgi-bin/luci/admin/network/firewall/forwards" URI. This can occur on devices such as the TP-Link Archer C7.
Recommendations
For OpenWrt version 18.06.4, consider restricting access to the "cgi-bin/luci/admin/network/firewall/forwards" URI until a fix is available. As a temporary workaround, avoid using the "Name" field in the "New port forward" section to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openwrt
Tp-Link Archer C7