Filtered by vendor Asus
Subscribe
Total
266 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-38105 | 1 Asus | 2 Rt-ax82u, Rt-ax82u Firmware | 2024-02-28 | N/A | 7.5 HIGH |
An information disclosure vulnerability exists in the cm_processREQ_NC opcode of Asus RT-AX82U 3.0.0.4.386_49674-ge182230 router's configuration service. A specially-crafted network packets can lead to a disclosure of sensitive information. An attacker can send a network request to trigger this vulnerability. | |||||
CVE-2023-26602 | 1 Asus | 1 Asmb8-ikvm Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
ASUS ASMB8 iKVM firmware through 1.14.51 allows remote attackers to execute arbitrary code by using SNMP to create extensions, as demonstrated by snmpset for NET-SNMP-EXTEND-MIB with /bin/sh for command execution. | |||||
CVE-2022-4221 | 1 Asus | 2 Nas-m25, Nas-m25 Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Asus NAS-M25 allows an unauthenticated attacker to inject arbitrary OS commands via unsanitized cookie values.This issue affects NAS-M25: through 1.0.1.7. | |||||
CVE-2022-44898 | 1 Asus | 1 Aura Sync | 2024-02-28 | N/A | 7.8 HIGH |
The MsIo64.sys component in Asus Aura Sync through v1.07.79 does not properly validate input to IOCTL 0x80102040, 0x80102044, 0x80102050, and 0x80102054, allowing attackers to trigger a memory corruption and cause a Denial of Service (DoS) or escalate privileges via crafted IOCTL requests. | |||||
CVE-2022-42455 | 1 Asus | 1 Armoury Crate | 2024-02-28 | N/A | 7.8 HIGH |
ASUS EC Tool driver (aka d.sys) 1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb, as signed by ASUS and shipped with multiple ASUS software products, contains multiple IOCTL handlers that provide raw read and write access to port I/O and MSRs via unprivileged IOCTL calls. Local users can gain privileges. | |||||
CVE-2021-41437 | 1 Asus | 2 Rt-ax88u, Rt-ax88u Firmware | 2024-02-28 | N/A | 6.5 MEDIUM |
An HTTP response splitting attack in web application in ASUS RT-AX88U before v3.0.0.4.388.20558 allows an attacker to craft a specific URL that if an authenticated victim visits it, the URL will give access to the cloud storage of the attacker. | |||||
CVE-2021-40556 | 1 Asus | 2 Rt-ax56u, Rt-ax56u Firmware | 2024-02-28 | N/A | 8.8 HIGH |
A stack overflow vulnerability exists in the httpd service in ASUS RT-AX56U Router Version 3.0.0.4.386.44266. This vulnerability is caused by the strcat function called by "caupload" input handle function allowing the user to enter 0xFFFF bytes into the stack. This vulnerability allows an attacker to execute commands remotely. The vulnerability requires authentication. | |||||
CVE-2020-23648 | 1 Asus | 2 Rt-n12e, Rt-n12e Firmware | 2024-02-28 | N/A | 7.5 HIGH |
Asus RT-N12E 2.0.0.39 is affected by an incorrect access control vulnerability. Through system.asp / start_apply.htm, an attacker can change the administrator password without any authentication. | |||||
CVE-2022-36438 | 1 Asus | 2 Asusswitch, System Control Interface | 2024-02-28 | N/A | 7.8 HIGH |
AsusSwitch.exe on ASUS personal computers (running Windows) sets weak file permissions, leading to local privilege escalation (this also can be used to delete files within the system arbitrarily). This affects ASUS System Control Interface 3 before 3.1.5.0, and AsusSwitch.exe before 1.0.10.0. | |||||
CVE-2022-26376 | 2 Asus, Asuswrt-merlin | 36 Asuswrt, Et12, Et12 Firmware and 33 more | 2024-02-28 | N/A | 9.8 CRITICAL |
A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability. | |||||
CVE-2022-36439 | 1 Asus | 3 Asusliveupdate, Asussoftwaremanger, System Control Interface | 2024-02-28 | N/A | 6.0 MEDIUM |
AsusSoftwareManager.exe in ASUS System Control Interface on ASUS personal computers (running Windows) allows a local user to write into the Temp directory and delete another more privileged file via SYSTEM privileges. This affects ASUS System Control Interface 3 before 3.1.5.0, AsusSoftwareManger.exe before 1.0.53.0, and AsusLiveUpdate.dll before 1.0.45.0. | |||||
CVE-2022-35899 | 2 Asus, Microsoft | 2 Aura Ready Game Software Development Kit, Windows | 2024-02-28 | N/A | 7.8 HIGH |
There is an unquoted service path in ASUSTeK Aura Ready Game SDK service (GameSDK.exe) 1.0.0.4. This might allow a local user to escalate privileges by creating a %PROGRAMFILES(X86)%\ASUS\GameSDK.exe file. | |||||
CVE-2021-43702 | 1 Asus | 186 4g-ac53u, 4g-ac53u Firmware, 4g-ac68u and 183 more | 2024-02-28 | 3.5 LOW | 9.0 CRITICAL |
ASUS RT-A88U 3.0.0.4.386_45898 is vulnerable to Cross Site Scripting (XSS). The ASUS router admin panel does not sanitize the WiFI logs correctly, if an attacker was able to change the SSID of the router with a custom payload, they could achieve stored XSS on the device. | |||||
CVE-2022-38699 | 1 Asus | 1 Armoury Crate Service | 2024-02-28 | N/A | 5.9 MEDIUM |
Armoury Crate Service’s logging function has insufficient validation to check if the log file is a symbolic link. A physical attacker with general user privilege can modify the log file property to a symbolic link that points to arbitrary system file, causing the logging function to overwrite the system file and disrupt the system. | |||||
CVE-2022-26668 | 1 Asus | 1 Control Center | 2024-02-28 | 6.4 MEDIUM | 6.5 MEDIUM |
ASUS Control Center API has a broken access control vulnerability. An unauthenticated remote attacker can call privileged API functions to perform partial system operations or cause partial disrupt of service. | |||||
CVE-2022-22814 | 1 Asus | 1 Myasus | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The System Diagnosis service of MyASUS before 3.1.2.0 allows privilege escalation. | |||||
CVE-2022-23972 | 1 Asus | 2 Rt-ax56u, Rt-ax56u Firmware | 2024-02-28 | 5.8 MEDIUM | 8.8 HIGH |
ASUS RT-AX56U’s SQL handling function has an SQL injection vulnerability due to insufficient user input validation. An unauthenticated LAN attacker to inject arbitrary SQL code to read, modify and delete database. | |||||
CVE-2022-26673 | 1 Asus | 2 Rt-ax88u, Rt-ax88u Firmware | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
ASUS RT-AX88U has insufficient filtering for special characters in the HTTP header parameter. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform Stored Cross-Site Scripting (XSS) attacks. | |||||
CVE-2022-25597 | 1 Asus | 2 Rt-ac86u, Rt-ac86u Firmware | 2024-02-28 | 5.8 MEDIUM | 8.8 HIGH |
ASUS RT-AC86U’s LPD service has insufficient filtering for special characters in the user request, which allows an unauthenticated LAN attacker to perform command injection attack, execute arbitrary commands and disrupt or terminate service. | |||||
CVE-2022-26674 | 1 Asus | 2 Rt-ax88u, Rt-ax88u Firmware | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
ASUS RT-AX88U has a Format String vulnerability, which allows an unauthenticated remote attacker to write to arbitrary memory address and perform remote arbitrary code execution, arbitrary system operation or disrupt service. |