Vulnerabilities > Asus

DATE CVE VULNERABILITY TITLE RISK
2018-12-28 CVE-2018-14992 Unspecified vulnerability in Asus Zenfone 3 MAX Firmware 1.5.0.40
The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed platform app with a package name of com.asus.dm (versionCode=1510500200, versionName=1.5.0.40_171122) has an exposed interface in an exported service named com.asus.dm.installer.DMInstallerService that allows any app co-located on the device to use its capabilities to download an arbitrary app over the internet and install it.
local
low complexity
asus
5.5
2018-12-28 CVE-2018-14979 Information Exposure vulnerability in Asus Zenfone 3 MAX Firmware 7.0.0.55
The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed app with a package name of com.asus.loguploader (versionCode=1570000275, versionName=7.0.0.55_170515).
local
high complexity
asus CWE-200
4.7
2018-12-26 CVE-2018-18537 Unspecified vulnerability in Asus Aura Sync Firmware 1.07.22
The GLCKIo low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes a path to write an arbitrary DWORD to an arbitrary address.
local
low complexity
asus
5.5
2018-12-26 CVE-2018-18536 Unspecified vulnerability in Asus Aura Sync Firmware 1.07.22
The GLCKIo and Asusgio low-level drivers in ASUS Aura Sync v1.07.22 and earlier expose functionality to read/write data from/to IO ports.
local
low complexity
asus
7.8
2018-12-26 CVE-2018-18535 Unspecified vulnerability in Asus Aura Sync Firmware 1.07.22
The Asusgio low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes functionality to read and write Machine Specific Registers (MSRs).
local
low complexity
asus
7.8
2018-10-14 CVE-2018-18291 Cross-site Scripting vulnerability in Asus Rt-Ac58U Firmware 3.0.0.4.380.6516
A cross site scripting (XSS) vulnerability on ASUS RT-AC58U 3.0.0.4.380_6516 devices allows remote attackers to inject arbitrary web script or HTML via Advanced_ASUSDDNS_Content.asp, Advanced_WSecurity_Content.asp, Advanced_Wireless_Content.asp, Logout.asp, Main_Login.asp, MobileQIS_Login.asp, QIS_wizard.htma, YandexDNS.asp, ajax_status.xml, apply.cgi, clients.asp, disk.asp, disk_utility.asp, or internet.asp.
network
low complexity
asus CWE-79
6.1
2018-10-14 CVE-2018-18287 Information Exposure vulnerability in Asus Rt-Ac58U Firmware 3.0.0.4.380.6516
On ASUS RT-AC58U 3.0.0.4.380_6516 devices, remote attackers can discover hostnames and IP addresses by reading dhcpLeaseInfo data in the HTML source code of the Main_Login.asp page.
network
low complexity
asus CWE-200
5.3
2018-09-17 CVE-2018-17127 NULL Pointer Dereference vulnerability in Asus Gt-Ac5300 Firmware 3.0.0.4.384.21140/3.0.0.4.384.32738
blocking_request.cgi on ASUS GT-AC5300 devices through 3.0.0.4.384_32738 allows remote attackers to cause a denial of service (NULL pointer dereference and device crash) via a request that lacks a timestap parameter.
network
low complexity
asus CWE-476
7.5
2018-09-13 CVE-2018-17023 Cross-Site Request Forgery (CSRF) vulnerability in Asus Gt-Ac5300 Firmware
Cross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 routers with firmware through 3.0.0.4.384_32738 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a request to start_apply.htm.
network
low complexity
asus CWE-352
8.8
2018-09-13 CVE-2018-17022 Out-of-bounds Write vulnerability in Asus Gt-Ac5300 Firmware
Stack-based buffer overflow on the ASUS GT-AC5300 router through 3.0.0.4.384_32738 allows remote attackers to cause a denial of service (device crash) or possibly have unspecified other impact by setting a long sh_path0 value and then sending an appGet.cgi?hook=select_list("Storage_x_SharedPath") request, because ej_select_list in router/httpd/web.c uses strcpy.
network
low complexity
asus CWE-787
7.2