First published: Tue Dec 03 2019(Updated: )
OpenWrt 18.06.4 allows XSS via these Name fields to the cgi-bin/luci/admin/network/firewall/rules URI: "Open ports on router" and "New forward rule" and "New Source NAT" (this can occur, for example, on a TP-Link Archer C7 device).
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
OpenWrt OpenWrt | =18.06.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this OpenWrt vulnerability is CVE-2019-18992.
The severity of CVE-2019-18992 is medium with a CVSS score of 5.4.
An attacker can exploit this vulnerability by injecting malicious code into the Name field of certain URIs in OpenWrt 18.06.4, leading to cross-site scripting (XSS).
The Name fields affected by this vulnerability are the ones in the cgi-bin/luci/admin/network/firewall/rules URI, specifically "Open ports on router", "New forward rule", and "New Source NAT".
Yes, a fix for CVE-2019-18992 is available. Updating to a version of OpenWrt that includes the fix is recommended.