Filtered by vendor Asus
Subscribe
Search
Total
221 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-47678 | 1 Asus | 2 Rt-ac87u, Rt-ac87u Firmware | 2023-11-21 | N/A | 9.1 CRITICAL |
| An improper access control vulnerability exists in RT-AC87U all versions. An attacker may read or write files that are not intended to be accessed by connecting to a target device via tftp. | |||||
| CVE-2023-47008 | 1 Asus | 2 Rt-ax57, Rt-ax57 Firmware | 2023-11-15 | N/A | 9.8 CRITICAL |
| An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the ifname field in the sub_4CCE4 function. | |||||
| CVE-2023-47007 | 1 Asus | 2 Rt-ax57, Rt-ax57 Firmware | 2023-11-15 | N/A | 9.8 CRITICAL |
| An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the lan_ifname field in the sub_391B8 function. | |||||
| CVE-2023-47006 | 1 Asus | 2 Rt-ax57, Rt-ax57 Firmware | 2023-11-15 | N/A | 9.8 CRITICAL |
| An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the lan_ipaddr field in the sub_6FC74 function. | |||||
| CVE-2023-47005 | 1 Asus | 2 Rt-ax57, Rt-ax57 Firmware | 2023-11-15 | N/A | 9.8 CRITICAL |
| An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the lan_ifname field in the sub_ln 2C318 function. | |||||
| CVE-2023-41347 | 1 Asus | 2 Rt-ax55, Rt-ax55 Firmware | 2023-11-13 | N/A | 8.8 HIGH |
| ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its check token module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services. | |||||
| CVE-2023-41348 | 1 Asus | 2 Rt-ax55, Rt-ax55 Firmware | 2023-11-13 | N/A | 8.8 HIGH |
| ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its code-authentication module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services. | |||||
| CVE-2023-41345 | 1 Asus | 2 Rt-ax55, Rt-ax55 Firmware | 2023-11-13 | N/A | 8.8 HIGH |
| ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-generated module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system, or terminate services. | |||||
| CVE-2023-41346 | 1 Asus | 2 Rt-ax55, Rt-ax55 Firmware | 2023-11-13 | N/A | 8.8 HIGH |
| ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-refresh module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services. | |||||
| CVE-2023-39086 | 1 Asus | 2 Rt-ac66u B1, Rt-ac66u B1 Firmware | 2023-08-14 | N/A | 7.5 HIGH |
| ASUS RT-AC66U B1 3.0.0.4.286_51665 was discovered to transmit sensitive information in cleartext. | |||||
| CVE-2021-37315 | 1 Asus | 2 Rt-ac68u, Rt-ac68u Firmware | 2023-08-08 | N/A | 9.1 CRITICAL |
| Incorrect Access Control issue discoverd in Cloud Disk in ASUS RT-AC68U router firmware version before 3.0.0.4.386.41634 allows remote attackers to write arbitrary files via improper sanitation on the source for COPY and MOVE operations. | |||||
| CVE-2021-41437 | 1 Asus | 2 Rt-ax88u, Rt-ax88u Firmware | 2023-08-08 | N/A | 6.5 MEDIUM |
| An HTTP response splitting attack in web application in ASUS RT-AX88U before v3.0.0.4.388.20558 allows an attacker to craft a specific URL that if an authenticated victim visits it, the URL will give access to the cloud storage of the attacker. | |||||
| CVE-2022-22814 | 1 Asus | 1 Myasus | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| The System Diagnosis service of MyASUS before 3.1.2.0 allows privilege escalation. | |||||
| CVE-2023-26911 | 1 Asus | 2 Armoury Crate, Setupasusservices | 2023-08-04 | N/A | 7.8 HIGH |
| ASUS SetupAsusServices v1.0.5.1 in Asus Armoury Crate v5.3.4.0 contains an unquoted service path vulnerability which allows local users to launch processes with elevated privileges. | |||||
| CVE-2023-35086 | 1 Asus | 4 Rt-ac86u, Rt-ac86u Firmware, Rt-ax56u V2 and 1 more | 2023-08-04 | N/A | 9.8 CRITICAL |
| It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by directly using input as a format string when calling syslog in logmessage_normal function, in the do_detwan_cgi module of httpd. An unauthenticated remote attacker without privilege can exploit this vulnerability to perform remote arbitrary code execution, arbitrary system operation or disrupt service. This issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529. | |||||
| CVE-2023-34360 | 1 Asus | 2 Rt-ax88u, Rt-ax88u Firmware | 2023-08-04 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) issue was discovered within the Custom User Icons functionality of ASUS RT-AX88U running firmware versions 3.0.0.4.388.23110 and prior. After a remote attacker logging in device with regular user privilege, the remote attacker can perform a Stored Cross-site Scripting (XSS) attack by uploading image which containing JavaScript code. | |||||
| CVE-2023-34358 | 1 Asus | 2 Rt-ax88u, Rt-ax88u Firmware | 2023-08-04 | N/A | 7.5 HIGH |
| ASUS RT-AX88U's httpd is subject to an unauthenticated DoS condition. A remote attacker can send a specially crafted request to a device which contains a specific user agent, causing the httpd binary to crash during a string comparison performed within web.c, resulting in a DoS condition. | |||||
| CVE-2023-34359 | 1 Asus | 2 Rt-ax88u, Rt-ax88u Firmware | 2023-08-04 | N/A | 7.5 HIGH |
| ASUS RT-AX88U's httpd is subject to an unauthenticated DoS condition. A remote attacker can send a specially crafted request to the device which causes the httpd binary to crash within the "do_json_decode()" function of ej.c, resulting in a DoS condition. | |||||
| CVE-2022-35899 | 2 Asus, Microsoft | 2 Aura Ready Game Software Development Kit, Windows | 2022-07-30 | N/A | 7.8 HIGH |
| There is an unquoted service path in ASUSTeK Aura Ready Game SDK service (GameSDK.exe) 1.0.0.4. This might allow a local user to escalate privileges by creating a %PROGRAMFILES(X86)%\ASUS\GameSDK.exe file. | |||||
| CVE-2021-43702 | 1 Asus | 186 4g-ac53u, 4g-ac53u Firmware, 4g-ac68u and 183 more | 2022-07-18 | 3.5 LOW | 9.0 CRITICAL |
| ASUS RT-A88U 3.0.0.4.386_45898 is vulnerable to Cross Site Scripting (XSS). The ASUS router admin panel does not sanitize the WiFI logs correctly, if an attacker was able to change the SSID of the router with a custom payload, they could achieve stored XSS on the device. | |||||
| CVE-2022-32988 | 1 Asus | 2 Dsl-n14u-b1, Dsl-n14u-b1 Firmware | 2022-07-13 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in router Asus DSL-N14U-B1 1.1.2.3_805 via the "*list" parameters (e.g. filter_lwlist, keyword_rulelist, etc) in every ".asp" page containing a list of stored strings. The following asp files are affected: (1) cgi-bin/APP_Installation.asp, (2) cgi-bin/Advanced_ACL_Content.asp, (3) cgi-bin/Advanced_ADSL_Content.asp, (4) cgi-bin/Advanced_ASUSDDNS_Content.asp, (5) cgi-bin/Advanced_AiDisk_ftp.asp, (6) cgi-bin/Advanced_AiDisk_samba.asp, (7) cgi-bin/Advanced_DSL_Content.asp, (8) cgi-bin/Advanced_Firewall_Content.asp, (9) cgi-bin/Advanced_FirmwareUpgrade_Content.asp, (10) cgi-bin/Advanced_GWStaticRoute_Content.asp, (11) cgi-bin/Advanced_IPTV_Content.asp, (12) cgi-bin/Advanced_IPv6_Content.asp, (13) cgi-bin/Advanced_KeywordFilter_Content.asp, (14) cgi-bin/Advanced_LAN_Content.asp, (15) cgi-bin/Advanced_Modem_Content.asp, (16) cgi-bin/Advanced_PortTrigger_Content.asp, (17) cgi-bin/Advanced_QOSUserPrio_Content.asp, (18) cgi-bin/Advanced_QOSUserRules_Content.asp, (19) cgi-bin/Advanced_SettingBackup_Content.asp, (20) cgi-bin/Advanced_System_Content.asp, (21) cgi-bin/Advanced_URLFilter_Content.asp, (22) cgi-bin/Advanced_VPN_PPTP.asp, (23) cgi-bin/Advanced_VirtualServer_Content.asp, (24) cgi-bin/Advanced_WANPort_Content.asp, (25) cgi-bin/Advanced_WAdvanced_Content.asp, (26) cgi-bin/Advanced_WMode_Content.asp, (27) cgi-bin/Advanced_WWPS_Content.asp, (28) cgi-bin/Advanced_Wireless_Content.asp, (29) cgi-bin/Bandwidth_Limiter.asp, (30) cgi-bin/Guest_network.asp, (31) cgi-bin/Main_AccessLog_Content.asp, (32) cgi-bin/Main_AdslStatus_Content.asp, (33) cgi-bin/Main_Spectrum_Content.asp, (34) cgi-bin/Main_WebHistory_Content.asp, (35) cgi-bin/ParentalControl.asp, (36) cgi-bin/QIS_wizard.asp, (37) cgi-bin/QoS_EZQoS.asp, (38) cgi-bin/aidisk.asp, (39) cgi-bin/aidisk/Aidisk-1.asp, (40) cgi-bin/aidisk/Aidisk-2.asp, (41) cgi-bin/aidisk/Aidisk-3.asp, (42) cgi-bin/aidisk/Aidisk-4.asp, (43) cgi-bin/blocking.asp, (44) cgi-bin/cloud_main.asp, (45) cgi-bin/cloud_router_sync.asp, (46) cgi-bin/cloud_settings.asp, (47) cgi-bin/cloud_sync.asp, (48) cgi-bin/device-map/DSL_dashboard.asp, (49) cgi-bin/device-map/clients.asp, (50) cgi-bin/device-map/disk.asp, (51) cgi-bin/device-map/internet.asp, (52) cgi-bin/error_page.asp, (53) cgi-bin/index.asp, (54) cgi-bin/index2.asp, (55) cgi-bin/qis/QIS_PTM_manual_setting.asp, (56) cgi-bin/qis/QIS_admin_pass.asp, (57) cgi-bin/qis/QIS_annex_setting.asp, (58) cgi-bin/qis/QIS_bridge_cfg_tmp.asp, (59) cgi-bin/qis/QIS_detect.asp, (60) cgi-bin/qis/QIS_finish.asp, (61) cgi-bin/qis/QIS_ipoa_cfg_tmp.asp, (62) cgi-bin/qis/QIS_manual_setting.asp, (63) cgi-bin/qis/QIS_mer_cfg.asp, (64) cgi-bin/qis/QIS_mer_cfg_tmp.asp, (65) cgi-bin/qis/QIS_ppp_cfg.asp, (66) cgi-bin/qis/QIS_ppp_cfg_tmp.asp, (67) cgi-bin/qis/QIS_wireless.asp, (68) cgi-bin/query_wan_status.asp, (69) cgi-bin/query_wan_status2.asp, and (70) cgi-bin/start_apply.asp. | |||||
| CVE-2021-3254 | 1 Asus | 2 Dsl-n14u-b1, Dsl-n14u-b1 Firmware | 2022-07-12 | 7.8 HIGH | 7.5 HIGH |
| Asus DSL-N14U-B1 1.1.2.3_805 allows remote attackers to cause a Denial of Service (DoS) via a TCP SYN scan using nmap. | |||||
| CVE-2021-28685 | 1 Asus | 1 Gputweak Ii | 2022-07-12 | 7.2 HIGH | 7.8 HIGH |
| AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to interact directly with physical memory (by calling one of several driver routines that map physical memory into the virtual address space of the calling process) and to interact with MSR registers. This could enable low-privileged users to achieve NT AUTHORITY\SYSTEM privileges via a DeviceIoControl. | |||||
| CVE-2022-31874 | 1 Asus | 2 Rt-n53, Rt-n53 Firmware | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| ASUS RT-N53 3.0.0.4.376.3754 has a command injection vulnerability in the SystemCmd parameter of the apply.cgi interface. | |||||
| CVE-2022-26668 | 1 Asus | 1 Control Center | 2022-06-27 | 6.4 MEDIUM | 6.5 MEDIUM |
| ASUS Control Center API has a broken access control vulnerability. An unauthenticated remote attacker can call privileged API functions to perform partial system operations or cause partial disrupt of service. | |||||
| CVE-2022-26669 | 1 Asus | 1 Control Center | 2022-06-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| ASUS Control Center is vulnerable to SQL injection. An authenticated remote attacker with general user privilege can inject SQL command to specific API parameters to acquire database schema or access data. | |||||
| CVE-2022-26673 | 1 Asus | 2 Rt-ax88u, Rt-ax88u Firmware | 2022-05-04 | 3.5 LOW | 5.4 MEDIUM |
| ASUS RT-AX88U has insufficient filtering for special characters in the HTTP header parameter. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform Stored Cross-Site Scripting (XSS) attacks. | |||||
| CVE-2022-26674 | 1 Asus | 2 Rt-ax88u, Rt-ax88u Firmware | 2022-05-04 | 7.5 HIGH | 9.8 CRITICAL |
| ASUS RT-AX88U has a Format String vulnerability, which allows an unauthenticated remote attacker to write to arbitrary memory address and perform remote arbitrary code execution, arbitrary system operation or disrupt service. | |||||
| CVE-2022-26672 | 1 Asus | 1 Webstorage | 2022-05-04 | 7.5 HIGH | 9.8 CRITICAL |
| ASUS WebStorage has a hardcoded API Token in the APP source code. An unauthenticated remote attacker can use this token to establish connections with the server and carry out login attempts to general user accounts. A successful login to a general user account allows the attacker to access, modify or delete this user account information. | |||||
| CVE-2021-46247 | 1 Asus | 2 Cmax6000, Cmax6000 Firmware | 2022-02-25 | 5.0 MEDIUM | 7.5 HIGH |
| The use of a hard-coded cryptographic key significantly increases the possibility encrypted data may be recovered from ASUS CMAX6000 v1.02.00. | |||||
| CVE-2022-21933 | 1 Asus | 26 Pa90, Pa90 Firmware, Pb50 and 23 more | 2022-01-27 | 7.2 HIGH | 7.8 HIGH |
| ASUS VivoMini/Mini PC device has an improper input validation vulnerability. A local attacker with system privilege can use system management interrupt (SMI) to modify memory, resulting in arbitrary code execution for controlling the system or disrupting service. | |||||
| CVE-2022-22054 | 1 Asus | 2 Rt-ax56u, Rt-ax56u Firmware | 2022-01-21 | 3.3 LOW | 6.5 MEDIUM |
| ASUS RT-AX56U’s login function contains a path traversal vulnerability due to its inadequate filtering for special characters in URL parameters, which allows an unauthenticated local area network attacker to access restricted system paths and download arbitrary files. | |||||
| CVE-2021-44158 | 1 Asus | 2 Rt-ax56u, Rt-ax56u Firmware | 2022-01-10 | 7.7 HIGH | 8.0 HIGH |
| ASUS RT-AX56U Wi-Fi Router is vulnerable to stack-based buffer overflow due to improper validation for httpd parameter length. An authenticated local area network attacker can launch arbitrary code execution to control the system or disrupt service. | |||||
| CVE-2021-46109 | 1 Asus | 1 Rt-ac52u B1 Firmware | 2022-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) in ASUS RT-AC52U_B1 3.0.0.4.380.10931 can lead to a user session hijack. | |||||
| CVE-2019-20082 | 1 Asus | 2 Rt-n53, Rt-n53 Firmware | 2022-01-07 | 7.5 HIGH | 9.8 CRITICAL |
| ASUS RT-N53 3.0.0.4.376.3754 devices have a buffer overflow via a long lan_dns1_x or lan_dns2_x parameter to Advanced_LAN_Content.asp. | |||||
| CVE-2021-41289 | 1 Asus | 2 P453uj, P453uj Bios | 2021-12-13 | 3.6 LOW | 7.1 HIGH |
| ASUS P453UJ contains the Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability. With a general user’s permission, local attackers can modify the BIOS by replacing or filling in the content of the designated Memory DataBuffer, which causing a failure of integrity verification and further resulting in a failure to boot. | |||||
| CVE-2021-41436 | 1 Asus | 36 Gt-ax11000, Gt-ax11000 Firmware, Rt-ax3000 and 33 more | 2021-11-23 | 7.8 HIGH | 7.5 HIGH |
| An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote unauthenticated attacker to DoS via sending a specially crafted HTTP packet. | |||||
| CVE-2021-41435 | 1 Asus | 36 Gt-ax11000, Gt-ax11000 Firmware, Rt-ax3000 and 33 more | 2021-11-23 | 10.0 HIGH | 9.8 CRITICAL |
| A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request. | |||||
| CVE-2021-37910 | 1 Asus | 10 Gt-axe11000, Gt-axe11000 Firmware, Rt-ax3000 and 7 more | 2021-11-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| ASUS routers Wi-Fi protected access protocol (WPA2 and WPA3-SAE) has improper control of Interaction frequency vulnerability, an unauthenticated attacker can remotely disconnect other users' connections by sending specially crafted SAE authentication frames. | |||||
| CVE-2021-42055 | 1 Asus | 2 Ux582lr, Ux582lr Firmware | 2021-10-22 | 4.6 MEDIUM | 6.8 MEDIUM |
| ASUSTek ZenBook Pro Due 15 UX582 laptop firmware through 203 has Insecure Permissions that allow attacks by a physically proximate attacker. | |||||
| CVE-2021-40981 | 1 Asus | 1 Armoury Crate Lite Service | 2021-10-01 | 4.4 MEDIUM | 7.3 HIGH |
| ASUS ROG Armoury Crate Lite before 4.2.10 allows local users to gain privileges by placing a Trojan horse file in the publicly writable %PROGRAMDATA%\ASUS\GamingCenterLib directory. | |||||
| CVE-2020-10649 | 2 Asus, Microsoft | 2 Device Activation, Windows 10 | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| DevActSvc.exe in ASUS Device Activation before 1.0.7.0 for Windows 10 notebooks and PCs could lead to unsigned code execution with no additional restrictions when a user puts an application at a particular path with a particular file name. | |||||
| CVE-2020-35219 | 1 Asus | 2 Dsl-n17u, Dsl-n17u Firmware | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| The ASUS DSL-N17U modem with firmware 1.1.0.2 allows attackers to access the admin interface by changing the admin password without authentication via a POST request to Advanced_System_Content.asp with the uiViewTools_username=admin&uiViewTools_Password= and uiViewTools_PasswordConfirm= substrings. | |||||
| CVE-2019-18216 | 1 Asus | 2 Rog Zephyrus M Gm501gs, Rog Zephyrus M Gm501gs Firmware | 2021-07-21 | 7.2 HIGH | 6.8 MEDIUM |
| ** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access can exhaust the main battery to reset the BIOS configuration, and then achieve direct access to the hard drive by booting a live USB OS without disassembling the laptop. NOTE: the vendor has apparently indicated that this is "normal" and use of the same battery for the BIOS and the overall system is a "new design." However, the vendor apparently plans to "improve" this an unspecified later time. | |||||
| CVE-2020-29656 | 1 Asus | 2 Rt-ac88u, Rt-ac88u Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An information disclosure vulnerability exists in RT-AC88U Download Master before 3.1.0.108. A direct access to /downloadmaster/dm_apply.cgi?action_mode=initial&download_type=General&special_cgi=get_language makes it possible to reach "unknown functionality" in a "known to be easy" manner via an unspecified "public exploit." | |||||
| CVE-2019-19235 | 2 Asus, Microsoft | 2 Atk Package, Windows 10 | 2021-07-21 | 6.9 MEDIUM | 7.0 HIGH |
| AsLdrSrv.exe in ASUS ATK Package before V1.0.0061 (for Windows 10 notebook PCs) could lead to unsigned code execution with no additional execution. The user must put an application at a particular path, with a particular file name. | |||||
| CVE-2021-32030 | 1 Asus | 2 Gt-ac2900, Gt-ac2900 Firmware | 2021-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations. | |||||
| CVE-2020-12695 | 18 Asus, Broadcom, Canon and 15 more | 257 Rt-n11, Adsl, Selphy Cp1200 and 254 more | 2021-04-23 | 7.8 HIGH | 7.5 HIGH |
| The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue. | |||||
| CVE-2021-3128 | 1 Asus | 54 Rt-ac1750 B1, Rt-ac1750 B1 Firmware, Rt-ac1900 and 51 more | 2021-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| In ASUS RT-AX3000, ZenWiFi AX (XT8), RT-AX88U, and other ASUS routers with firmware < 3.0.0.4.386.42095 or < 9.0.0.4.386.41994, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router. This occurs when a link prefix route points to a point-to-point link, a destination IPv6 address belongs to the prefix and is not a local IPv6 address, and a router advertisement is received with at least one global unique IPv6 prefix for which the on-link flag is set. | |||||
| CVE-2021-28686 | 1 Asus | 1 Gputweak Ii | 2021-04-16 | 2.1 LOW | 5.5 MEDIUM |
| AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow low-privileged users to trigger a stack-based buffer overflow. This could enable low-privileged users to achieve Denial of Service via a DeviceIoControl. | |||||