Vulnerabilities (CVE)

Filtered by vendor Asus Subscribe
Total 266 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-11063 1 Asus 1 Smarthome 2024-02-28 8.3 HIGH 8.8 HIGH
A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
CVE-2018-20336 1 Asus 2 Asuswrt-merlin, Rt-ac68u 2024-02-28 5.0 MEDIUM 7.5 HIGH
An issue was discovered in ASUSWRT 3.0.0.4.384.20308. There is a stack-based buffer overflow issue in parse_req_queries function in wanduck.c via a long string over UDP, which may lead to an information leak.
CVE-2018-14710 1 Asus 2 Rt-ac3200, Rt-ac3200 Firmware 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute JavaScript via the "hook" URL parameter.
CVE-2019-10709 1 Asus 1 Precision Touchpad 2024-02-28 7.5 HIGH 9.8 CRITICAL
AsusPTPFilter.sys on Asus Precision TouchPad 11.0.0.25 hardware has a Pool Overflow associated with the \\.\AsusTP device, leading to a DoS or potentially privilege escalation via a crafted DeviceIoControl call.
CVE-2018-14711 1 Asus 2 Rt-ac3200, Rt-ac3200 Firmware 2024-02-28 4.3 MEDIUM 6.5 MEDIUM
Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs.
CVE-2018-14980 1 Asus 2 Zenfone 3 Max, Zenfone 3 Max Firmware 2024-02-28 3.6 LOW 7.1 HIGH
The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains the android framework (i.e., system_server) with a package name of android (versionCode=24, versionName=7.0) that has been modified by ASUS or another entity in the supply chain. The system_server process in the core android package has an exported broadcast receiver that allows any app co-located on the device to programmatically initiate the taking of a screenshot and have the resulting screenshot be written to external storage (i.e., sdcard). The taking of a screenshot is not transparent to the user; the device has a screen animation as the screenshot is taken and there is a notification indicating that a screenshot occurred. If the attacking app also requests the EXPAND_STATUS_BAR permission, it can wake the device up using certain techniques and expand the status bar to take a screenshot of the user's notifications even if the device has an active screen lock. The notifications may contain sensitive data such as text messages used in two-factor authentication. The system_server process that provides this capability cannot be disabled, as it is part of the Android framework. The notification can be removed by a local Denial of Service (DoS) attack to reboot the device.
CVE-2019-11061 1 Asus 2 Hg100, Hg100 Firmware 2024-02-28 4.8 MEDIUM 8.1 HIGH
A broken access control vulnerability in HG100 firmware versions up to 4.00.06 allows an attacker in the same local area network to control IoT devices that connect with itself via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
CVE-2018-14713 1 Asus 2 Rt-ac3200, Rt-ac3200 Firmware 2024-02-28 5.5 MEDIUM 8.1 HIGH
Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to read arbitrary sections of memory and CPU registers via the "hook" URL parameter.
CVE-2017-17944 1 Asus 2 Hivivo, Vivobaby 2024-02-28 6.4 MEDIUM 9.1 CRITICAL
The ASUS Vivobaby application before 1.1.09 for Android has Missing SSL Certificate Validation.
CVE-2017-17945 1 Asus 2 Hivivo, Vivobaby 2024-02-28 6.4 MEDIUM 9.1 CRITICAL
The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation.
CVE-2019-11060 1 Asus 2 Hg100, Hg100 Firmware 2024-02-28 7.8 HIGH 7.5 HIGH
The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, which is vulnerable to Slowloris HTTP Denial of Service: an attacker can cause a Denial of Service (DoS) by sending headers very slowly to keep HTTP or HTTPS connections and associated resources alive for a long period of time. CVSS 3.0 Base score 7.4 (Availability impacts). CVSS vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
CVE-2018-18287 1 Asus 2 Rt-ac58u, Rt-ac58u Firmware 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
On ASUS RT-AC58U 3.0.0.4.380_6516 devices, remote attackers can discover hostnames and IP addresses by reading dhcpLeaseInfo data in the HTML source code of the Main_Login.asp page.
CVE-2016-6558 1 Asus 14 Ea-n66, Ea-n66 Firmware, Rp-ac52 and 11 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
A command injection vulnerability exists in apply.cgi on the ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, web interface specifically in the action_script parameter. The action_script parameter specifies a script to be executed if the action_mode parameter does not contain a valid state. If the input provided by action_script does not match one of the hard coded options, then it will be executed as the argument of either a system() or an eval() call allowing arbitrary commands to be executed.
CVE-2018-18536 1 Asus 2 Aura Sync, Aura Sync Firmware 2024-02-28 7.2 HIGH 7.8 HIGH
The GLCKIo and Asusgio low-level drivers in ASUS Aura Sync v1.07.22 and earlier expose functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges.
CVE-2018-11492 1 Asus 2 Hg100, Hg100 Firmware 2024-02-28 7.8 HIGH 7.5 HIGH
ASUS HG100 devices allow denial of service via an IPv4 packet flood.
CVE-2018-18537 1 Asus 2 Aura Sync, Aura Sync Firmware 2024-02-28 2.1 LOW 5.5 MEDIUM
The GLCKIo low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes a path to write an arbitrary DWORD to an arbitrary address.
CVE-2018-17023 1 Asus 2 Gt-ac5300, Gt-ac5300 Firmware 2024-02-28 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 routers with firmware through 3.0.0.4.384_32738 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a request to start_apply.htm.
CVE-2018-18291 1 Asus 2 Rt-ac58u, Rt-ac58u Firmware 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
A cross site scripting (XSS) vulnerability on ASUS RT-AC58U 3.0.0.4.380_6516 devices allows remote attackers to inject arbitrary web script or HTML via Advanced_ASUSDDNS_Content.asp, Advanced_WSecurity_Content.asp, Advanced_Wireless_Content.asp, Logout.asp, Main_Login.asp, MobileQIS_Login.asp, QIS_wizard.htma, YandexDNS.asp, ajax_status.xml, apply.cgi, clients.asp, disk.asp, disk_utility.asp, or internet.asp.
CVE-2018-11491 1 Asus 2 Hg100, Hg100 Firmware 2024-02-28 10.0 HIGH 9.8 CRITICAL
ASUS HG100 devices with firmware before 1.05.12 allow unauthenticated access, leading to remote command execution.
CVE-2016-6557 1 Asus 14 Ea-n66, Ea-n66 Firmware, Rp-ac52 and 11 more 2024-02-28 6.8 MEDIUM 8.8 HIGH
In ASUS RP-AC52 access points with firmware version 1.0.1.1s and possibly earlier, the web interface, the web interface does not sufficiently verify whether a valid request was intentionally provided by the user. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.