Sign-up

ID

VAR-201404-0447


CVE

CVE-2014-2925


TITLE

ASUS RT-AC68U And other RT Series router firmware Advanced_Wireless_Content.asp Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2014-002211

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Advanced_Wireless_Content.asp in ASUS RT-AC68U and other RT series routers with firmware before 3.0.0.4.374.5047 allows remote attackers to inject arbitrary web script or HTML via the current_page parameter to apply.cgi. ASUS RT-AC68U is a router device. A remote attacker can exploit a vulnerability to build a malicious URI, entice a user to resolve, obtain sensitive cookies, hijack a session, or perform malicious operations on the client. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The vulnerability stems from the fact that the apply.cgi script does not filter the 'current_page' parameter correctly

Trust: 2.52

sources: NVD: CVE-2014-2925 // JVNDB: JVNDB-2014-002211 // CNVD: CNVD-2014-02220 // BID: 66669 // VULHUB: VHN-70864

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-02220

AFFECTED PRODUCTS

vendor:t mobilemodel:tm-ac1900scope:eqversion:3.0.0.4.376_3169

Trust: 1.6

vendor:asusmodel:rt-ac68uscope:eqversion: -

Trust: 1.0

vendor:asusmodel:rt-ac68uscope:eqversion:3.0.0.4.374.4755

Trust: 1.0

vendor:asusmodel:rt-ac68uscope:lteversion:3.0.0.4.374_4983

Trust: 1.0

vendor:asusmodel:rt-ac68uscope:eqversion:3.0.0.4.374_4887

Trust: 1.0

vendor:asustek computermodel:rt-ac68uscope: - version: -

Trust: 0.8

vendor:asustek computermodel:rt-ac68uscope:ltversion:3.0.0.4.374.5047

Trust: 0.8

vendor:asustek computermodel:rt-ac68uscope:eqversion:3.0.0.4.374.4755

Trust: 0.6

vendor:asustek computermodel:rt-ac68u 3.0.0.4.374 4887scope: - version: -

Trust: 0.6

vendor:asustek computermodel:rt-ac68u 3.0.0.4.374 4983scope: - version: -

Trust: 0.6

vendor:asustek computermodel:rt-ac68u 3.0.0.4.374 4755scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2014-02220 // JVNDB: JVNDB-2014-002211 // CNNVD: CNNVD-201404-436 // NVD: CVE-2014-2925

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2925
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-2925
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-02220
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201404-436
value: MEDIUM

Trust: 0.6

VULHUB: VHN-70864
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-2925
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-02220
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-70864
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2014-02220 // VULHUB: VHN-70864 // JVNDB: JVNDB-2014-002211 // CNNVD: CNNVD-201404-436 // NVD: CVE-2014-2925

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-70864 // JVNDB: JVNDB-2014-002211 // NVD: CVE-2014-2925

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-436

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201404-436

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002211

PATCH
title:RT-AC68Uurl:http://www.asus.com/Networking/RTAC68U/HelpDesk_Download/
Trust: 0.8
title:RT-N66Uurl:http://support.asus.com/download.aspx?m=RT-N66U+%28VER.B1%29
Trust: 0.8
title:Cellspot router firmware update informationurl:https://support.t-mobile.com/docs/DOC-21994
Trust: 0.8
title:FW_RT-AC68U_30043745047url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49450
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2014-002211 // 
            
            
            
            CNNVD: CNNVD-201404-436

EXTERNAL IDS
db:NVDid:CVE-2014-2925
Trust: 3.4
db:BIDid:66669
Trust: 2.0
db:JVNDBid:JVNDB-2014-002211
Trust: 0.8
db:CNNVDid:CNNVD-201404-436
Trust: 0.7
db:OSVDBid:105383
Trust: 0.6
db:CNVDid:CNVD-2014-02220
Trust: 0.6
db:FULLDISCid:20140404 REFLECTED CROSS-SITE SCRIPTING WITHIN THE ASUS RT-AC68U MANAGING WEB INTERFACE
Trust: 0.6
db:VULHUBid:VHN-70864
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-02220 // 
            
            
            
            VULHUB: VHN-70864 // 
            
            
            
            BID: 66669 // 
            
            
            
            JVNDB: JVNDB-2014-002211 // 
            
            
            
            CNNVD: CNNVD-201404-436 // 
            
            
            
            NVD: CVE-2014-2925

REFERENCES
url:http://seclists.org/fulldisclosure/2014/apr/59
Trust: 3.1
url:http://support.asus.com/download.aspx?m=rt-n66u+%28ver.b1%29
Trust: 1.7
url:http://www.asus.com/networking/rtac68u/helpdesk_download/
Trust: 1.7
url:http://www.securityfocus.com/bid/66669
Trust: 1.1
url:https://support.t-mobile.com/docs/doc-21994
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2925
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2925
Trust: 0.8
url:http://osvdb.com/show/osvdb/105383
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-02220 // 
            
            
            
            VULHUB: VHN-70864 // 
            
            
            
            JVNDB: JVNDB-2014-002211 // 
            
            
            
            CNNVD: CNNVD-201404-436 // 
            
            
            
            NVD: CVE-2014-2925

CREDITS
Joaquim Brasil de Oliveira
Trust: 0.3
sources:
            
            
            BID: 66669

SOURCES
db:CNVDid:CNVD-2014-02220
db:VULHUBid:VHN-70864
db:BIDid:66669
db:JVNDBid:JVNDB-2014-002211
db:CNNVDid:CNNVD-201404-436
db:NVDid:CVE-2014-2925

LAST UPDATE DATE
2024-11-23T22:27:20.584000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-02220date:2014-04-11T00:00:00
db:VULHUBid:VHN-70864date:2016-06-30T00:00:00
db:BIDid:66669date:2014-04-23T19:01:00
db:JVNDBid:JVNDB-2014-002211date:2016-02-10T00:00:00
db:CNNVDid:CNNVD-201404-436date:2014-04-23T00:00:00
db:NVDid:CVE-2014-2925date:2024-11-21T02:07:12.077

SOURCES RELEASE DATE
db:CNVDid:CNVD-2014-02220date:2014-04-11T00:00:00
db:VULHUBid:VHN-70864date:2014-04-22T00:00:00
db:BIDid:66669date:2014-04-04T00:00:00
db:JVNDBid:JVNDB-2014-002211date:2014-04-24T00:00:00
db:CNNVDid:CNNVD-201404-436date:2014-04-23T00:00:00
db:NVDid:CVE-2014-2925date:2014-04-22T13:06:30.743