CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-28702 – ASUS RT-AC86U - Command Injection
https://notcve.org/view.php?id=CVE-2023-28702
ASUS RT-AC86U does not filter special characters for parameters in specific web URLs. A remote attacker with normal user privileges can exploit this vulnerability to perform command injection attack to execute arbitrary system commands, disrupt system or terminate service. • https://www.twcert.org.tw/tw/cp-132-7146-ef92a-1.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2023-28703 – ASUS RT-AC86U - Buffer Overflow
https://notcve.org/view.php?id=CVE-2023-28703
ASUS RT-AC86U’s specific cgi function has a stack-based buffer overflow vulnerability due to insufficient validation for network packet header length. A remote attacker with administrator privileges can exploit this vulnerability to execute arbitrary system commands, disrupt system or terminate service. • https://www.twcert.org.tw/tw/cp-132-7147-afcf9-1.html • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.0EPSS: 0%CPEs: 188EXPL: 1CVE-2021-43702
https://notcve.org/view.php?id=CVE-2021-43702
ASUS RT-A88U 3.0.0.4.386_45898 is vulnerable to Cross Site Scripting (XSS). The ASUS router admin panel does not sanitize the WiFI logs correctly, if an attacker was able to change the SSID of the router with a custom payload, they could achieve stored XSS on the device. ASUS RT-A88U versión 3.0.0.4.386_45898 es vulnerable a un ataque de tipo Cross Site Scripting (XSS). El panel de administración del enrutador ASUS no desinfecta los registros de WiFI correctamente, si un atacante pudiera cambiar el SSID del enrutador con una carga útil personalizada, podría obtener XSS almacenado en el dispositivo • https://www.asus.com/uk/Networking-IoT-Servers/WiFi-Routers/ASUS-WiFi-Routers/RT-AC88U https://www.kroll.com/en/insights/publications/cyber/cve-2021-43702-from-discovery-to-patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-25597 – ASUS RT-AC86U - Command Injection
https://notcve.org/view.php?id=CVE-2022-25597
ASUS RT-AC86U’s LPD service has insufficient filtering for special characters in the user request, which allows an unauthenticated LAN attacker to perform command injection attack, execute arbitrary commands and disrupt or terminate service. El servicio LPD de ASUS RT-AC86U, presenta un filtrado insuficiente para caracteres especiales en la petición del usuario, lo que permite a un atacante no autenticado de la LAN llevar a cabo un ataque de inyección de comandos, ejecutar comandos arbitrarios e interrumpir o terminar el servicio • https://www.twcert.org.tw/tw/cp-132-5794-09c33-1.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-25596 – ASUS RT-AC86U - Heap-based buffer overflow
https://notcve.org/view.php?id=CVE-2022-25596
ASUS RT-AC56U’s configuration function has a heap-based buffer overflow vulnerability due to insufficient validation for the decryption parameter length, which allows an unauthenticated LAN attacker to execute arbitrary code, perform arbitrary operations and disrupt service. La función de configuración de ASUS RT-AC56U, presenta una vulnerabilidad de desbordamiento de búfer en la región heap de la memoria debido a que no ha sido comprobada suficientemente la longitud del parámetro de descifrado, lo que permite a un atacante LAN no autenticado ejecutar código arbitrario, llevar a cabo operaciones arbitrarias e interrumpir el servicio • https://www.twcert.org.tw/tw/cp-132-5793-4f9d3-1.html • CWE-787: Out-of-bounds Write •