Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
LuCI luci-mod-network: Possible XSS attack in WiFi scan on Joining Wireless Client modal
Vulnerability Description
LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
OpenWrt LuCI 跨站脚本漏洞
Vulnerability Description
OpenWrt LuCI是OpenWRT开源的一款用于OpenWrt(Linux发行版)的图形化配置界面。 OpenWrt LuCI 24.10.5之前版本和25.12.0之前版本存在跨站脚本漏洞,该漏洞源于无线扫描模态中存在存储型跨站脚本问题,可能导致攻击者执行任意HTML/JavaScript。
CVSS Information
N/A
Vulnerability Type
N/A