CVE-2018-11491
https://notcve.org/view.php?id=CVE-2018-11491
ASUS HG100 devices with firmware before 1.05.12 allow unauthenticated access, leading to remote command execution. Los dispositivos ASUS HG100 con firmware en versiones anteriores a la 1.05.12 permiten el acceso no autenticado, lo que conduce a la ejecución remota de comandos. • https://mars-cheng.github.io/blog/2018/CVE-2018-11491 https://www.asus.com/tw/News/qnEosWKPVDpmOeqL • CWE-287: Improper Authentication •
CVE-2016-6558 – The ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, is vulnerable to command injection
https://notcve.org/view.php?id=CVE-2016-6558
A command injection vulnerability exists in apply.cgi on the ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, web interface specifically in the action_script parameter. The action_script parameter specifies a script to be executed if the action_mode parameter does not contain a valid state. If the input provided by action_script does not match one of the hard coded options, then it will be executed as the argument of either a system() or an eval() call allowing arbitrary commands to be executed. Existe una vulnerabilidad de inyección de comandos en apply.cgi en el punto de acceso de ASUS RP-AC52 en su versión del firmware 1.0.1.1s y posiblemente anteriores, en la interfaz web; específicamente en el parámetro action_script. El parámetro action_script especifica un script para que sea ejecutado si el parámetro action_mode no contiene un estado válido. • https://www.kb.cert.org/vuls/id/763843 https://www.securityfocus.com/bid/93596 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2016-6557 – The ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, is vulnerable to cross-site request forgery
https://notcve.org/view.php?id=CVE-2016-6557
In ASUS RP-AC52 access points with firmware version 1.0.1.1s and possibly earlier, the web interface, the web interface does not sufficiently verify whether a valid request was intentionally provided by the user. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. En los puntos de acceso ASUS RP-AC52 con versiones de firmware 1.0.1.1s y posiblemente anteriores, la interfaz web no verifica lo suficiente si una petición válida ha sido proporcionada intencionadamente por el usuario. Un atacante puede realizar acciones con los mismos permisos que los del usuario víctima, siempre que la víctima tenga una sesión activa y sea inducida a desencadenar la petición maliciosa. • https://www.kb.cert.org/vuls/id/763843 https://www.securityfocus.com/bid/93596 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-0582
https://notcve.org/view.php?id=CVE-2018-0582
Cross-site scripting vulnerability in ASUS RT-AC68U Firmware version prior to 3.0.0.4.380.1031 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-Site Scripting (XSS) en ASUS RT-AC68U con versión de firmware anterior a la 3.0.0.4.380.1031 permite que los atacantes remotos inyecten scripts web o HTML arbitrarios utilizando vectores no especificados. • http://jvn.jp/en/jp/JVN73742314/index.html https://www.asus.com/Networking/RTAC68U/HelpDesk_BIOS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-0583
https://notcve.org/view.php?id=CVE-2018-0583
Cross-site scripting vulnerability in ASUS RT-AC1200HP Firmware version prior to 3.0.0.4.380.4180 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-Site Scripting (XSS) en ASUS RT-AC1200HP con versión de firmware anterior a la 3.0.0.4.380.4180 permite que los atacantes remotos inyecten scripts web o HTML arbitrarios utilizando vectores no especificados. • http://jvn.jp/en/jp/JVN34562916/index.html https://www.asus.com/Networking/RTAC1200HP/HelpDesk_BIOS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •