Arbitrary Command Injection in OpenWrt DDNS Package

Arbitrary Command Injection in OpenWrt DDNS Package

CVE-2021-28961 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua in the DDNS package for OpenWrt 19.07 allows remote authenticated users to inject arbitrary commands via POST requests.

Learn more about our User Device Pen Test.