You may notice we had fixed a XSS vulnerability in the Foris web interface in the recent Turris OS 5.1.6 (released 2021-01-19) and Turris OS 3.11.22 (released 2021-01-26).
Together with Niklas Volcz, who reported the vulnerability to us, we agreed to file a CVE record for it and it was assigned a few hours ago. So, Turris OS has its first CVE-2021-3346.
This issue is fixed already, so keep your devices updated!
We will disclose the GitLab issue (turris/foris/foris#201) with detailed description on Monday, February 8th 2021, to give some time for those who use delayed updates feature.
Kudos to Niklas Volcz and his responsible disclosure 