Headline
CVE-2022-41435: luci-mod-system: sshkeys.js: prevent XSS through pubkey comments · openwrt/luci@944b557
OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted public key comments.
@@ -112,7 +112,7 @@ function renderKeyItem(pubkey) {
click: isReadonlyView ? null : removeKey,
'data-key’: pubkey.src
}, [
E('strong’, pubkey.comment || _(‘Unnamed key’)), E(‘br’),
E('strong’, [ pubkey.comment || _(‘Unnamed key’) ]), E(‘br’),
E('small’, [
'%s, %s’.format(pubkey.type, pubkey.curve || _(‘%d Bit’).format(pubkey.bits)),
pubkey.options ? E([], [