VYPR

Openwebif

by Openwebif Project

Source repositories

CVEs (4)

  • CVE-2017-9807CriJun 22, 2017
    risk 0.64cvss 9.8epss 0.05

    An issue was discovered in the OpenWebif plugin through 1.2.4 for E2 open devices. The saveConfig function of "plugin/controllers/models/config.py" performs an eval() call on the contents of the "key" HTTP GET parameter. This allows an unauthenticated remote attacker to execute…

  • CVE-2017-9333HigSep 18, 2017
    risk 0.57cvss 8.8epss 0.02

    OpenWebif 1.2.5 allows remote code execution via a URL to the CallOPKG function in the IpkgController class in plugin/controllers/ipkg.py, when the URL refers to an attacker-controlled web site with a Trojan horse package. This has security implications in cases where untrusted…

  • CVE-2021-38113Aug 4, 2021
    risk 0.00cvss epss 0.01

    In addBouquet in js/bqe.js in OpenWebif (aka e2openplugin-OpenWebif) through 1.4.7, inserting JavaScript into the Add Bouquet feature of the Bouquet Editor (i.e., bouqueteditor/api/addbouquet?name=) leads to Stored XSS.

  • CVE-2018-20332Dec 21, 2018
    risk 0.00cvss epss 0.02

    An issue has been discovered in the OpenWebif plugin through 1.2.4 for Enigma2 based devices. Reading of arbitrary files is possible with /file?action=download&file= followed by a full pathname, and listing of arbitrary directories is possible with /file?action=download&dir=…