Luci OpenWRT Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Luci OpenWRT version 18.06.2. This vulnerability exists in the '/admin/system/packages' endpoint, where attackers can execute arbitrary JavaScript in the context of the user's browser by sending a crafted payload.

Impact

Exploitation of this vulnerability could allow attackers to steal session tokens, potentially leading to account takeover.

Reproduction

To reproduce this vulnerability, proxy the traffic through Burp Suite and navigate to the '/cgi-bin/luci/admin/system/packages' endpoint. Enter any package name in the 'Filter' field and submit the request. Once the response is received, send the POST request to the Repeater tab. In the 'display' parameter, insert the JavaScript payload. After sending the request, right-click in the Repeater tab and select 'Request in browser' to execute the payload. Finally, click the 'Reset button' to trigger the execution.