<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Calibri">Hi all,<br>
<br>
any news regarding CVE assignment ? <br>
<br>
Regards,<br>
Marcin <br>
</font><br>
<div class="moz-cite-prefix">On 13/11/2019 23:34, Hauke Mehrtens
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:09cccd72-f969-0324-f78a-a1c416406f50@hauke-m.de"
id="mid_09cccd72_f969_0324_f78a_a1c416406f50_hauke_m_de" class="
cite">
<pre class="moz-quote-pre" wrap="">Security Advisory 2019-11-05-1 - LuCI stored XSS
DESCRIPTION
A vulnerability has been reported in LuCI which allows injection of
script code through maliciously crafted wireless network SSIDs.
When joining a wireless network by clicking Network -> Wireless -> Join,
the subsequent configuration view interprets the SSID of the network
to join without proper escaping, allowing to execute arbitrary
JavaScript in the client's web browser through network names which
contains payload, for example
AP</h2><svg onclick=alert(0);>
Additionally the network interface overview displays configured wireless
network SSID without proper escaping.
Since the SSID string is stored in the UCI configuration, the issue
effectively becomes a stored Stored Cross Site Scripting (XSS)
vulnerability.
REQUIREMENTS
In order to exploit this vulnerability, a user needs to either
explicitly pick a network with a malicious SSID from the wireless scan
result list or manually add a wireless network with an SSID containing
embedded script and browsing to the network interface overview page.
The wireless scan result list is not affected by this issue, so no
automatic script code execution is possible through it.
MITIGATIONS
To fix this issue, update the affected LuCI package using the command
below. The fix is contained in version `git-19.309.48729-bc17ef673` and
later.
`opkg update; opkg upgrade luci-mod-admin-full`
To workaround the problem, avoid joining networks with HTML code in the
SSID.
AFFECTED VERSIONS
To our knowledge, LuCI packages with OpenWrt versions 18.06.0 to 18.06.4
are affected. OpenWrt 19.07 is not affected by this problem.
The fixed LuCI packages are integrated in the OpenWrt 18.06.5. Older
versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life
and not supported any more.
CREDITS
The issue has been reported by Marcin Zieba <a class="moz-txt-link-rfc2396E" href="mailto:marcin.zieba@ehlo.red"><marcin.zieba@ehlo.red></a> on
27th October 2019 and independently by Ridwan Maulana <a class="moz-txt-link-rfc2396E" href="mailto:mrm@asdqwe.net"><mrm@asdqwe.net></a>
on 5th November 2019.
The issue has been fixed by Jo-Philipp Wich <a class="moz-txt-link-rfc2396E" href="mailto:jo@mein.io"><jo@mein.io></a>
REFERENCES
<a class="moz-txt-link-freetext" href="https://github.com/openwrt/luci/commit/bc17ef673f734ea8e7e696ba5735588da9111dcd">https://github.com/openwrt/luci/commit/bc17ef673f734ea8e7e696ba5735588da9111dcd</a>
</pre>
</blockquote>
<br>
<br>
</body>
</html>