Vulnerabilities > Asus > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-08-29 | CVE-2019-11063 | Missing Authentication for Critical Function vulnerability in Asus Smarthome A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication. | 8.8 |
| 2019-08-29 | CVE-2019-11061 | Missing Authentication for Critical Function vulnerability in Asus Hg100 Firmware 1.05.12/4.00.06 A broken access control vulnerability in HG100 firmware versions up to 4.00.06 allows an attacker in the same local area network to control IoT devices that connect with itself via http://[target]/smarthome/devicecontrol without any authentication. | 8.1 |
| 2019-08-29 | CVE-2019-11060 | Allocation of Resources Without Limits or Throttling vulnerability in Asus Hg100 Firmware 1.05.12 The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, which is vulnerable to Slowloris HTTP Denial of Service: an attacker can cause a Denial of Service (DoS) by sending headers very slowly to keep HTTP or HTTPS connections and associated resources alive for a long period of time. | 7.5 |
| 2019-05-13 | CVE-2018-14713 | Use of Externally-Controlled Format String vulnerability in Asus Rt-Ac3200 Firmware 3.0.0.4.382.50010 Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to read arbitrary sections of memory and CPU registers via the "hook" URL parameter. | 8.1 |
| 2019-04-25 | CVE-2018-14993 | Unspecified vulnerability in Asus Zenfone 3 MAX Firmware and Zenfone V Live Firmware The ASUS Zenfone V Live Android device with a build fingerprint of asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1802.78-20180313:user/release-keys and the Asus ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys both contain a pre-installed platform app with a package name of com.asus.splendidcommandagent (versionCode=1510200090, versionName=1.2.0.18_160928) that contains an exported service named com.asus.splendidcommandagent.SplendidCommandAgentService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. | 7.8 |
| 2019-04-25 | CVE-2018-14980 | Incorrect Permission Assignment for Critical Resource vulnerability in Asus Zenfone 3 MAX Firmware The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains the android framework (i.e., system_server) with a package name of android (versionCode=24, versionName=7.0) that has been modified by ASUS or another entity in the supply chain. | 7.1 |
| 2018-12-26 | CVE-2018-18536 | Unspecified vulnerability in Asus Aura Sync Firmware 1.07.22 The GLCKIo and Asusgio low-level drivers in ASUS Aura Sync v1.07.22 and earlier expose functionality to read/write data from/to IO ports. | 7.8 |
| 2018-12-26 | CVE-2018-18535 | Unspecified vulnerability in Asus Aura Sync Firmware 1.07.22 The Asusgio low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes functionality to read and write Machine Specific Registers (MSRs). | 7.8 |
| 2018-09-17 | CVE-2018-17127 | NULL Pointer Dereference vulnerability in Asus Gt-Ac5300 Firmware 3.0.0.4.384.21140/3.0.0.4.384.32738 blocking_request.cgi on ASUS GT-AC5300 devices through 3.0.0.4.384_32738 allows remote attackers to cause a denial of service (NULL pointer dereference and device crash) via a request that lacks a timestap parameter. | 7.5 |
| 2018-09-13 | CVE-2018-17023 | Cross-Site Request Forgery (CSRF) vulnerability in Asus Gt-Ac5300 Firmware Cross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 routers with firmware through 3.0.0.4.384_32738 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a request to start_apply.htm. | 8.8 |