CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-38032 – ASUS RT-AC86U - Command injection vulnerability - 2
https://notcve.org/view.php?id=CVE-2023-38032
ASUS RT-AC86U AiProtection security- related function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services. La función relacionada con la seguridad AiProtection de ASUS RT-AC86U no tiene suficiente filtrado de caracteres especiales. Un atacante remoto con privilegios de usuario normal puede aprovechar esta vulnerabilidad para realizar un ataque de inyección de comandos para ejecutar comandos arbitrarios, interrumpir el sistema o terminar servicios. • https://www.twcert.org.tw/tw/cp-132-7349-7f8cd-1.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-38031 – ASUS RT-AC86U - Command injection vulnerability - 1
https://notcve.org/view.php?id=CVE-2023-38031
ASUS RT-AC86U Adaptive QoS - Web History function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services. La función Adaptive Qos - Web History de ASUS RT-AC86U tiene un filtrado insuficiente de caracteres especiales. Un atacante remoto con privilegios de usuario normal puede aprovechar esta vulnerabilidad para realizar un ataque de inyección de comandos para ejecutar comandos arbitrarios, interrumpir el sistema o terminar servicios. • https://www.twcert.org.tw/tw/cp-132-7348-56989-1.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35720 – ASUS RT-AX92U lighttpd mod_webdav.so SQL Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-35720
ASUS RT-AX92U lighttpd mod_webdav.so SQL Injection Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected ASUS RT-AX92U routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the mod_webdav.so module. When parsing a request, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. • https://www.asus.com/networking-iot-servers/whole-home-mesh-wifi-system/aimesh-wifi-routers-and-systems/rt-ax92u/helpdesk_bios/?model2Name=RT-AX92U https://www.zerodayinitiative.com/advisories/ZDI-23-1166 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-39086
https://notcve.org/view.php?id=CVE-2023-39086
ASUS RT-AC66U B1 3.0.0.4.286_51665 was discovered to transmit sensitive information in cleartext. • http://121.41.98.87/2023/08/04/info http://asus.com http://na.com • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 8.2EPSS: 0%CPEs: 2EXPL: 0CVE-2023-34360 – ASUS RT-AX88U - Stored XSS
https://notcve.org/view.php?id=CVE-2023-34360
A stored cross-site scripting (XSS) issue was discovered within the Custom User Icons functionality of ASUS RT-AX88U running firmware versions 3.0.0.4.388.23110 and prior. After a remote attacker logging in device with regular user privilege, the remote attacker can perform a Stored Cross-site Scripting (XSS) attack by uploading image which containing JavaScript code. • https://https://www.twcert.org.tw/tw/cp-132-7281-dc87d-1.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •