I am currently wanting to reproduce the command injection bug reported in CVE-2019-12272. Though my efforts have been unsuccessful so far.
I am a bit confused by description of the vulnerability:
In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability.
Does that mean that LuCI versions <= 0.10 are vulnerable? In that case, the newest release of OpenWrt I could find that fits this requirement is v10.03 (LuCI 0.9-0-1), but that release has no real-time monitoring endpoints?
In addition to this, the commit that fixed this issue was made in mid 2018.
I have tested all major versions of OpenWrt (10, 12, 14, 15, 17 and 18)
Could someone please point me to a release that is vulnerable to this exploit?