Vulnerabilities > Asus > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-11-14 | CVE-2019-15392 | Unspecified vulnerability in Asus Zenfone 4 Selfie Firmware The Asus ZenFone 4 Selfie Android device with a build fingerprint of Android/sdm660_64/sdm660_64:8.1.0/OPM1/14.2016.1802.247-20180419:user/release-keys contains a pre-installed app with a package name of com.log.logservice app (versionCode=1, versionName=1) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. | 5.5 |
| 2019-11-14 | CVE-2019-15391 | Unspecified vulnerability in Asus Zenfone 4 Selfie Firmware The Asus ZenFone 4 Selfie Android device with a build fingerprint of asus/WW_Phone/ASUS_X00LD_1:8.1.0/OPM1.171019.011/15.0400.1809.405-0:user/release-keys contains a pre-installed app with a package name of com.log.logservice app (versionCode=1, versionName=1) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. | 5.5 |
| 2019-10-20 | CVE-2019-18216 | Unspecified vulnerability in Asus ROG Zephyrus M Gm501Gs Firmware The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. low complexity asus | 6.8 |
| 2019-05-13 | CVE-2018-14712 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Asus Rt-Ac3200 Firmware 3.0.0.4.382.50010 Buffer overflow in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to inject system commands via the "hook" URL parameter. | 6.5 |
| 2019-05-13 | CVE-2018-14711 | Cross-Site Request Forgery (CSRF) vulnerability in Asus Rt-Ac3200 Firmware 3.0.0.4.382.50010 Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs. | 6.5 |
| 2019-05-13 | CVE-2018-14710 | Cross-site Scripting vulnerability in Asus Rt-Ac3200 Firmware 3.0.0.4.382.50010 Cross-site scripting in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute JavaScript via the "hook" URL parameter. | 6.1 |
| 2018-12-28 | CVE-2018-14992 | Unspecified vulnerability in Asus Zenfone 3 MAX Firmware 1.5.0.40 The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed platform app with a package name of com.asus.dm (versionCode=1510500200, versionName=1.5.0.40_171122) has an exposed interface in an exported service named com.asus.dm.installer.DMInstallerService that allows any app co-located on the device to use its capabilities to download an arbitrary app over the internet and install it. | 5.5 |
| 2018-12-28 | CVE-2018-14979 | Information Exposure vulnerability in Asus Zenfone 3 MAX Firmware 7.0.0.55 The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed app with a package name of com.asus.loguploader (versionCode=1570000275, versionName=7.0.0.55_170515). | 4.7 |
| 2018-12-26 | CVE-2018-18537 | Unspecified vulnerability in Asus Aura Sync Firmware 1.07.22 The GLCKIo low-level driver in ASUS Aura Sync v1.07.22 and earlier exposes a path to write an arbitrary DWORD to an arbitrary address. | 5.5 |
| 2018-10-14 | CVE-2018-18291 | Cross-site Scripting vulnerability in Asus Rt-Ac58U Firmware 3.0.0.4.380.6516 A cross site scripting (XSS) vulnerability on ASUS RT-AC58U 3.0.0.4.380_6516 devices allows remote attackers to inject arbitrary web script or HTML via Advanced_ASUSDDNS_Content.asp, Advanced_WSecurity_Content.asp, Advanced_Wireless_Content.asp, Logout.asp, Main_Login.asp, MobileQIS_Login.asp, QIS_wizard.htma, YandexDNS.asp, ajax_status.xml, apply.cgi, clients.asp, disk.asp, disk_utility.asp, or internet.asp. | 6.1 |