CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Asus : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-46109 79 XSS 2022-01-03 2022-01-08
4.3
None Remote Medium Not required None Partial None
Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) in ASUS RT-AC52U_B1 3.0.0.4.380.10931 can lead to a user session hijack.
2 CVE-2021-40981 427 +Priv 2021-09-27 2021-10-01
4.4
None Local Medium Not required Partial Partial Partial
ASUS ROG Armoury Crate Lite before 4.2.10 allows local users to gain privileges by placing a Trojan horse file in the publicly writable %PROGRAMDATA%\ASUS\GamingCenterLib directory.
3 CVE-2021-28686 787 DoS Overflow 2021-04-08 2021-04-16
2.1
None Local Low Not required None None Partial
AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to trigger a stack-based buffer overflow. This could enable low-privileged users to achieve Denial of Service via a DeviceIoControl.
4 CVE-2021-28685 269 2021-04-08 2021-04-20
7.2
None Local Low Not required Complete Complete Complete
AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to interact directly with physical memory (by calling one of several driver routines that map physical memory into the virtual address space of the calling process) and to interact with MSR registers. This could enable low-privileged users to achieve NT AUTHORITY\SYSTEM privileges via a DeviceIoControl.
5 CVE-2020-15009 426 Exec Code 2020-07-20 2020-07-29
4.4
None Local Medium Not required Partial Partial Partial
AsusScreenXpertServicec.exe and ScreenXpertUpgradeServiceManager.exe in ScreenPad2_Upgrade_Tool.msi V1.0.3 for ASUS PCs with ScreenPad 1.0 (UX450FDX, UX550GDX and UX550GEX) could lead to unsigned code execution with no additional restrictions when a user puts an application at a particular path with a particular file name.
6 CVE-2020-12695 276 2020-06-08 2021-04-23
7.8
None Remote Medium Not required Partial None Complete
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
7 CVE-2019-17603 787 DoS +Priv Mem. Corr. 2020-06-02 2020-06-25
7.2
None Local Low Not required Complete Complete Complete
Ene.sys in Asus Aura Sync through 1.07.71 does not properly validate input to IOCTL 0x80102044, 0x80102050, and 0x80102054, which allows local users to cause a denial of service (system crash) or gain privileges via IOCTL requests using crafted kernel addresses that trigger memory corruption.
8 CVE-2019-11063 306 2019-08-29 2020-08-24
8.3
None Local Network Low Not required Complete Complete Complete
A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
9 CVE-2019-10709 264 Overflow 2019-09-04 2019-09-05
7.5
None Remote Low Not required Partial Partial Partial
AsusPTPFilter.sys on Asus Precision TouchPad 11.0.0.25 hardware has a Pool Overflow associated with the \\.\AsusTP device, leading to a DoS or potentially privilege escalation via a crafted DeviceIoControl call.
10 CVE-2018-8878 200 +Info 2020-02-27 2020-03-04
5.0
None Remote Low Not required Partial None None
Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to acquire information on internal network devices' hostnames and MAC addresses by reading the custom_id variable on the blocking.asp page.
11 CVE-2018-8877 200 +Info 2020-02-27 2020-03-04
5.0
None Remote Low Not required Partial None None
Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to acquire information on internal network IP address ranges by reading the new_lan_ip variable on the error_page.htm page.
12 CVE-2018-6000 862 2018-01-22 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.
13 CVE-2018-5999 2018-01-22 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails.
14 CVE-2017-17945 295 2019-06-24 2019-07-03
6.4
None Remote Low Not required Partial Partial None
The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation.
15 CVE-2017-17944 295 2019-06-20 2019-06-21
6.4
None Remote Low Not required Partial Partial None
The ASUS Vivobaby application before 1.1.09 for Android has Missing SSL Certificate Validation.
16 CVE-2017-15656 522 2018-01-31 2019-10-03
4.0
None Remote Low ??? Partial None None
Password are stored in plaintext in nvram in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt.
17 CVE-2017-15655 119 Overflow 2018-01-31 2018-02-21
9.3
None Remote Medium Not required Complete Complete Complete
Multiple buffer overflow vulnerabilities exist in the HTTPd server in Asus asuswrt version <=3.0.0.4.376.X. All have been fixed in version 3.0.0.4.378, but this vulnerability was not previously disclosed. Some end-of-life routers have this version as the newest and thus are vulnerable at this time. This vulnerability allows for RCE with administrator rights when the administrator visits several pages.
18 CVE-2017-15654 330 2018-01-31 2019-10-03
7.6
None Remote High Not required Complete Complete Complete
Highly predictable session tokens in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt allow gaining administrative router access.
19 CVE-2017-15653 613 2018-01-31 2018-02-27
6.5
None Remote Low ??? Partial Partial Partial
Improper administrator IP validation after his login in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt allows an unauthorized user to execute any action knowing administrator session token by using a specific User-Agent string.
20 CVE-2015-6949 119 Exec Code Overflow 2015-09-15 2016-12-22
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the ASUS TM-AC1900 router allows remote attackers to execute arbitrary code via crafted HTTP header values.
21 CVE-2013-7293 16 2014-01-15 2016-12-31
5.0
None Remote Low Not required None Partial None
The ASUS WL-330NUL router has a configuration process that relies on accessing the 192.168.1.1 IP address, but the documentation advises users to instead access a DNS hostname that does not always resolve to 192.168.1.1, which makes it easier for remote attackers to hijack the configuration traffic by controlling the server associated with that hostname.
22 CVE-2012-4924 119 1 Exec Code Overflow 2012-09-15 2017-08-29
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in the CxDbgPrint function in the ipswcom.dll ActiveX component 1.0.0.1 for ASUS Net4Switch 1.0.0020 allows remote attackers to execute arbitrary code via a long parameter to the Alert method.
23 CVE-2011-4497 200 +Info 2011-11-21 2011-11-21
3.3
None Local Network Low Not required Partial None None
QIS_wizard.htm on the ASUS RT-N56U router with firmware before 1.0.1.4o allows remote attackers to obtain the administrator password via a flag=detect request.
24 CVE-2009-3093 2009-09-08 2009-09-09
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability on the ASUS WL-500W wireless router has unknown impact and remote attack vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.
25 CVE-2009-3092 Overflow 2009-09-08 2009-09-09
10.0
None Remote Low Not required Complete Complete Complete
Buffer overflow on the ASUS WL-500W wireless router has unknown impact and remote attack vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.
26 CVE-2009-3091 2009-09-08 2011-12-21
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability on the ASUS WL-330gE has unknown impact and remote attack vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.
27 CVE-2009-0656 255 Bypass 2009-02-20 2017-08-17
6.9
None Local Medium Not required Complete Complete Complete
Asus SmartLogon 1.0.0005 allows physically proximate attackers to bypass "security functions" by presenting an image with a modified viewpoint that matches the posture of a stored image of the authorized notebook user.
28 CVE-2008-1491 119 Exec Code Overflow 2008-03-25 2018-10-11
10.0
None Remote Low Not required Complete Complete Complete
Stack-based buffer overflow in the DPC Proxy server (DpcProxy.exe) in ASUS Remote Console (aka ARC or ASMB3) 2.0.0.19 and 2.0.0.24 allows remote attackers to execute arbitrary code via a long string to TCP port 623.
29 CVE-2005-3490 Dir. Trav. 2005-11-04 2016-10-18
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the web server in Asus Video Security 3.5.0.0 and earlier allows remote attackers to read arbitrary files via "../" or "..\" sequences in the URL.
30 CVE-2005-3489 Exec Code Overflow 2005-11-04 2016-10-18
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in Asus Video Security 3.5.0.0 and earlier, when using authorization, allows remote attackers to execute arbitrary code via a long username/password string.
Total number of vulnerabilities : 30   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.