CVE-2022-41435

Name of the Vulnerable Software and Affected Versions OpenWrt LuCI version git-22.140.66206-02913be

Description The issue is related to a stored cross-site scripting (XSS) vulnerability in the /system/sshkeys.js component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted public key comments. The vulnerability is also related to the luci-mod-system module of the LuCI web interface configuration in the OpenWrt embedded operating system, which fails to protect the web page structure when processing the SSH key from the /etc/dropbear/authorized keys file. This can enable a remote attacker to perform cross-site scripting attacks.

Recommendations For OpenWrt LuCI version git-22.140.66206-02913be, consider disabling the /system/sshkeys.js component until a patch is available. Restrict access to the SSH key comments to minimize the risk of exploitation. Avoid using crafted public key comments in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.