Show pagesourceOld revisionsBacklinksBack to top × Table of Contents Security Advisory 2021-08-01-1 - XSS via missing input validation of host names displayed (CVE-2021-32019) DESCRIPTION REQUIREMENTS MITIGATIONS AFFECTED VERSIONS CREDITS REFERENCES Security Advisory 2021-08-01-1 - XSS via missing input validation of host names displayed (CVE-2021-32019) DESCRIPTION Missing input validation of host names displayed in OpenWrt LuCI web-interface leads to Cross-site scripting, which can be used to gain full control over the affected system. REQUIREMENTS Users need to visit the LuCI “Connection status” page of the router and activate the host name resolution. The attackers need to hold a connection to the OpenWrt router which is displayed in the Web-interface, ie. via sending ICMP ping messages. MITIGATIONS AFFECTED VERSIONS To our knowledge, OpenWrt version 19.07.0 to 19.07.7 are affected. The fixed packages will be integrated in the upcoming OpenWrt 19.07.8 and OpenWrt 21.02.0 release. Older versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more. CREDITS This issue was identified by Philipp Jeitner and Haya Shulman from Fraunhofer SIT REFERENCES Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS Fix in OpenWrt master: https://github.com/openwrt/luci/commit/3c66c5b1651aa25afbff09bee45047da9a0ba43d Fix in OpenWrt 21.02: https://github.com/openwrt/luci/commit/e2abb45b0ef3cc7c527e73f3d6677a861a6875e0 Fix in OpenWrt 19.07: https://github.com/openwrt/luci/commit/d0cf6e4a57f3c3f4f425ea48a3caefed407e69c4 This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2021/08/07 14:22by hauke