CVE-2023-31195
https://notcve.org/view.php?id=CVE-2023-31195
ASUS Router RT-AX3000 Firmware versions prior to 3.0.0.4.388.23403 uses sensitive cookies without 'Secure' attribute. When an attacker is in a position to be able to mount a man-in-the-middle attack, and a user is tricked to log into the affected device through an unencrypted ('http') connection, the user's session may be hijacked. • https://jvn.jp/en/jp/JVN34232595 https://www.asus.com/networking-iot-servers/wifi-routers/asus-wifi-routers/rt-ax3000/helpdesk_bios/?model2Name=RT-AX3000 • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2023-34941
https://notcve.org/view.php?id=CVE-2023-34941
A stored cross-site scripting (XSS) vulnerability in the urlFilterList function of Asus RT-N10LX Router v2.0.0.39 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL Keyword List text field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. • https://github.com/OlivierLaflamme/cve/blob/main/ASUS-N10LX_2.0.0.39/StoredXSS_FirewallURLFilter.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-34940
https://notcve.org/view.php?id=CVE-2023-34940
Asus RT-N10LX Router v2.0.0.39 was discovered to contain a stack overflow via the url parameter at /start-apply.html. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. • https://github.com/OlivierLaflamme/cve/blob/main/ASUS-N10LX_2.0.0.39/URLFilterList_Stack_BOF.md • CWE-787: Out-of-bounds Write •
CVE-2023-34942
https://notcve.org/view.php?id=CVE-2023-34942
Asus RT-N10LX Router v2.0.0.39 was discovered to contain a stack overflow via the mac parameter at /start-apply.html. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. • https://github.com/OlivierLaflamme/cve/blob/main/ASUS-N10LX_2.0.0.39/MAC_Address_StackBOF.md • CWE-787: Out-of-bounds Write •
CVE-2023-28702 – ASUS RT-AC86U - Command Injection
https://notcve.org/view.php?id=CVE-2023-28702
ASUS RT-AC86U does not filter special characters for parameters in specific web URLs. A remote attacker with normal user privileges can exploit this vulnerability to perform command injection attack to execute arbitrary system commands, disrupt system or terminate service. • https://www.twcert.org.tw/tw/cp-132-7146-ef92a-1.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •