Filtered by vendor Asus
Subscriptions
Total
278 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-14979 | 1 Asus | 2 Zenfone 3 Max, Zenfone 3 Max Firmware | 2024-08-05 | N/A |
| The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed app with a package name of com.asus.loguploader (versionCode=1570000275, versionName=7.0.0.55_170515). This app contains an exported service app component named com.asus.loguploader.LogUploaderService that, when accessed with a particular action string, will write a bugreport (kernel log, logcat log, and the state of system services including the text of active notifications), Wi-Fi Passwords, and other system data to external storage (sdcard). Any app with the READ_EXTERNAL_STORAGE permission on this device can read this data from the sdcard after it has been dumped there by the com.asus.loguploader. Third-party apps are not allowed to directly create a bugreport or access the user's stored wireless network credentials. | ||||
| CVE-2018-14980 | 1 Asus | 2 Zenfone 3 Max, Zenfone 3 Max Firmware | 2024-08-05 | N/A |
| The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains the android framework (i.e., system_server) with a package name of android (versionCode=24, versionName=7.0) that has been modified by ASUS or another entity in the supply chain. The system_server process in the core android package has an exported broadcast receiver that allows any app co-located on the device to programmatically initiate the taking of a screenshot and have the resulting screenshot be written to external storage (i.e., sdcard). The taking of a screenshot is not transparent to the user; the device has a screen animation as the screenshot is taken and there is a notification indicating that a screenshot occurred. If the attacking app also requests the EXPAND_STATUS_BAR permission, it can wake the device up using certain techniques and expand the status bar to take a screenshot of the user's notifications even if the device has an active screen lock. The notifications may contain sensitive data such as text messages used in two-factor authentication. The system_server process that provides this capability cannot be disabled, as it is part of the Android framework. The notification can be removed by a local Denial of Service (DoS) attack to reboot the device. | ||||
| CVE-2018-14712 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2024-08-05 | N/A |
| Buffer overflow in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to inject system commands via the "hook" URL parameter. | ||||
| CVE-2018-14711 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2024-08-05 | N/A |
| Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs. | ||||
| CVE-2018-14714 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2024-08-05 | N/A |
| System command injection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute system commands via the "load_script" URL parameter. | ||||
| CVE-2018-14713 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2024-08-05 | N/A |
| Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to read arbitrary sections of memory and CPU registers via the "hook" URL parameter. | ||||
| CVE-2018-14710 | 1 Asus | 2 Rt-ac3200, Rt-ac3200 Firmware | 2024-08-05 | N/A |
| Cross-site scripting in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute JavaScript via the "hook" URL parameter. | ||||
| CVE-2018-11491 | 1 Asus | 2 Hg100, Hg100 Firmware | 2024-08-05 | N/A |
| ASUS HG100 devices with firmware before 1.05.12 allow unauthenticated access, leading to remote command execution. | ||||
| CVE-2018-11492 | 1 Asus | 2 Hg100, Hg100 Firmware | 2024-08-05 | N/A |
| ASUS HG100 devices allow denial of service via an IPv4 packet flood. | ||||
| CVE-2018-9285 | 1 Asus | 22 Rt-ac1900, Rt-ac1900 Firmware, Rt-ac2900 and 19 more | 2024-08-05 | N/A |
| Main_Analysis_Content.asp in /apply.cgi on ASUS RT-AC66U, RT-AC68U, RT-AC86U, RT-AC88U, RT-AC1900, RT-AC2900, and RT-AC3100 devices before 3.0.0.4.384_10007; RT-N18U devices before 3.0.0.4.382.39935; RT-AC87U and RT-AC3200 devices before 3.0.0.4.382.50010; and RT-AC5300 devices before 3.0.0.4.384.20287 allows OS command injection via the pingCNT and destIP fields of the SystemCmd variable. | ||||
| CVE-2018-8877 | 2 Asus, Asuswrt-merlin | 2 Asus Firmware, Asuswrt-merlin | 2024-08-05 | 5.3 Medium |
| Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to acquire information on internal network IP address ranges by reading the new_lan_ip variable on the error_page.htm page. | ||||
| CVE-2018-8879 | 1 Asus | 2 Rt-ac66u, Rt-ac66u Firmware | 2024-08-05 | 9.8 Critical |
| Stack-based buffer overflow in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to execute arbitrary code by providing a long string to the blocking.asp page via a GET or POST request. Vulnerable parameters are flag, mac, and cat_id. | ||||
| CVE-2018-8878 | 2 Asus, Asuswrt-merlin | 2 Asus Firmware, Asuswrt-merlin | 2024-08-05 | 5.3 Medium |
| Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to acquire information on internal network devices' hostnames and MAC addresses by reading the custom_id variable on the blocking.asp page. | ||||
| CVE-2018-8826 | 1 Asus | 26 Rt-ac1200, Rt-ac1200 Firmware, Rt-ac1750 and 23 more | 2024-08-05 | N/A |
| ASUS RT-AC51U, RT-AC58U, RT-AC66U, RT-AC1750, RT-ACRH13, and RT-N12 D1 routers with firmware before 3.0.0.4.380.8228; RT-AC52U B1, RT-AC1200 and RT-N600 routers with firmware before 3.0.0.4.380.10446; RT-AC55U and RT-AC55UHP routers with firmware before 3.0.0.4.382.50276; RT-AC86U and RT-AC2900 routers with firmware before 3.0.0.4.384.20648; and possibly other RT-series routers allow remote attackers to execute arbitrary code via unspecified vectors. | ||||
| CVE-2018-6000 | 1 Asus | 1 Asuswrt | 2024-08-05 | N/A |
| An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999. | ||||
| CVE-2018-5999 | 1 Asus | 1 Asuswrt | 2024-08-05 | N/A |
| An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails. | ||||
| CVE-2018-0647 | 1 Asus | 2 Wl-330nul, Wl-330nul Firmware | 2024-08-05 | N/A |
| Cross-site request forgery (CSRF) vulnerability in WL-330NUL Firmware version prior to 3.0.0.46 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | ||||
| CVE-2018-0583 | 1 Asus | 2 Rt-ac1200hp, Rt-ac1200hp Firmware | 2024-08-05 | N/A |
| Cross-site scripting vulnerability in ASUS RT-AC1200HP Firmware version prior to 3.0.0.4.380.4180 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2018-0581 | 1 Asus | 2 Rt-ac87u, Rt-ac87u Firmware | 2024-08-05 | N/A |
| Cross-site scripting vulnerability in ASUS RT-AC87U Firmware version prior to 3.0.0.4.378.9383 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2018-0582 | 1 Asus | 2 Rt-ac68u, Rt-ac68u Firmware | 2024-08-05 | N/A |
| Cross-site scripting vulnerability in ASUS RT-AC68U Firmware version prior to 3.0.0.4.380.1031 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||