CVE-2018-14713
https://notcve.org/view.php?id=CVE-2018-14713
Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to read arbitrary sections of memory and CPU registers via the "hook" URL parameter. La vulnerabilidad de cadena de formato en appGet.cgi en ASUS RT-AC3200 versión 3.0.0.4.382.50010, permite a los atacantes leer secciones arbitrarias de memoria y registros de la CPU mediante el parámetro URL "hook". • https://blog.securityevaluators.com/asus-routers-overflow-with-vulnerabilities-b111bc1c8eb8 • CWE-134: Use of Externally-Controlled Format String •
CVE-2018-14712
https://notcve.org/view.php?id=CVE-2018-14712
Buffer overflow in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to inject system commands via the "hook" URL parameter. Una vulnerabilidad de desbordamiento de búfer en appGet.cgi en ASUS RT-AC3200 versión 3.0.0.4.382.50010, permite a los atacantes inyectar comandos del sistema por medio del parámetro de URL "hook". • https://blog.securityevaluators.com/asus-routers-overflow-with-vulnerabilities-b111bc1c8eb8 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2018-14711
https://notcve.org/view.php?id=CVE-2018-14711
Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs. Una vulnerabilidad en la falta la protección para cross-site request forgery en appGet.cgi en ASUS RT-AC3200 versión 3.0.0.4.382.50010, permite a los atacantes generar acciones de cambio de estado con URL especialmente creadas. • https://blog.securityevaluators.com/asus-routers-overflow-with-vulnerabilities-b111bc1c8eb8 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-14710
https://notcve.org/view.php?id=CVE-2018-14710
Cross-site scripting in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute JavaScript via the "hook" URL parameter. Una vulnerabilidad de tipo Cross-site scripting en appGet.cgi en ASUS RT-AC3200 versión 3.0.0.4.382.50010, permiten a los atacantes ejecutar JavaScript mediante el parámetro URL "hook". • https://blog.securityevaluators.com/asus-routers-overflow-with-vulnerabilities-b111bc1c8eb8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-9285 – ASUS TM-AC1900 Arbitrary Command Execution
https://notcve.org/view.php?id=CVE-2018-9285
Main_Analysis_Content.asp in /apply.cgi on ASUS RT-AC66U, RT-AC68U, RT-AC86U, RT-AC88U, RT-AC1900, RT-AC2900, and RT-AC3100 devices before 3.0.0.4.384_10007; RT-N18U devices before 3.0.0.4.382.39935; RT-AC87U and RT-AC3200 devices before 3.0.0.4.382.50010; and RT-AC5300 devices before 3.0.0.4.384.20287 allows OS command injection via the pingCNT and destIP fields of the SystemCmd variable. Main_Analysis_Content.asp en /apply.cgi en dispositivos ASUS RT-AC66U, RT-AC68U, RT-AC86U, RT-AC88U, RT-AC1900, RT-AC2900 y en dispositivos RT-AC3100 en versiones anteriores a la 3.0.0.4.384_10007; dispositivos RT-N18U en versiones anteriores a la 3.0.0.4.382.39935; dispositivos RT-AC87U y RT-AC3200 en versiones anteriores a la 3.0.0.4.382.50010; y dispositivos RT-AC5300 en versiones anteriores a la 3.0.0.4.384.20287 permite la inyección de comandos del sistema operativo mediante los campos pingCNT y destIP de la variable SystemCmd. • http://packetstormsecurity.com/files/160049/ASUS-TM-AC1900-Arbitrary-Command-Execution.html https://fortiguard.com/zeroday/FG-VD-17-216 https://www.fortinet.com/blog/threat-research/fortiguard-labs-discovers-vulnerability-in-asus-router.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •