Sign-up

ID

VAR-201502-0387


CVE

CVE-2015-1437


TITLE

Asus RT-N10 Plus D1 Router firmware cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-001451

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Asus RT-N10+ D1 router with firmware 2.1.1.1.70 allow remote attackers to inject arbitrary web script or HTML via the flag parameter to (1) result_of_get_changed_status.asp or (2) error_page.htm. The Asus RT-N10 Plus Router is a router device. A remote attacker can exploit a vulnerability to construct a malicious URI, entice a user to resolve it, obtain sensitive cookies, hijack a session, or perform malicious operations on the client. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The vulnerability is caused by the result_of_get_changed_status.asp and error_page.htm files not adequately filtering the 'flag' parameter

Trust: 2.52

sources: NVD: CVE-2015-1437 // JVNDB: JVNDB-2015-001451 // CNVD: CNVD-2015-00883 // BID: 72369 // VULHUB: VHN-79398

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-00883

AFFECTED PRODUCTS

vendor:asusmodel:rt-n10\+d1scope:eqversion:2.1.1.1.70

Trust: 1.6

vendor:asustek computermodel:rt-n10 plusscope: - version: -

Trust: 0.8

vendor:asustek computermodel:rt-n10 plusscope:eqversion:2.1.1.1.70

Trust: 0.8

vendor:asusmodel:rt-n10 plus router runningscope:eqversion:2.1.1.1.70

Trust: 0.6

sources: CNVD: CNVD-2015-00883 // JVNDB: JVNDB-2015-001451 // CNNVD: CNNVD-201502-035 // NVD: CVE-2015-1437

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-1437
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-1437
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-00883
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201502-035
value: MEDIUM

Trust: 0.6

VULHUB: VHN-79398
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-1437
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-00883
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-79398
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2015-00883 // VULHUB: VHN-79398 // JVNDB: JVNDB-2015-001451 // CNNVD: CNNVD-201502-035 // NVD: CVE-2015-1437

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-79398 // JVNDB: JVNDB-2015-001451 // NVD: CVE-2015-1437

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201502-035

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201502-035

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001451

PATCH
title:RT-N10url:http://www.asus.com/Networking/RTN10/overview/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-001451

EXTERNAL IDS
db:NVDid:CVE-2015-1437
Trust: 3.4
db:BIDid:72369
Trust: 2.6
db:PACKETSTORMid:130187
Trust: 1.7
db:JVNDBid:JVNDB-2015-001451
Trust: 0.8
db:CNNVDid:CNNVD-201502-035
Trust: 0.7
db:CNVDid:CNVD-2015-00883
Trust: 0.6
db:XFid:100566
Trust: 0.6
db:XFid:100563
Trust: 0.6
db:VULHUBid:VHN-79398
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-00883 // 
            
            
            
            VULHUB: VHN-79398 // 
            
            
            
            BID: 72369 // 
            
            
            
            JVNDB: JVNDB-2015-001451 // 
            
            
            
            CNNVD: CNNVD-201502-035 // 
            
            
            
            NVD: CVE-2015-1437

REFERENCES
url:http://www.securityfocus.com/bid/72369
Trust: 2.3
url:http://packetstormsecurity.com/files/130187/asus-rt-n10-plus-cross-site-scripting.html
Trust: 1.7
url:http://www.securityfocus.com/archive/1/archive/1/534580/100/0/threaded
Trust: 1.4
url:http://www.securityfocus.com/archive/1/534579/100/0/threaded
Trust: 1.1
url:http://www.securityfocus.com/archive/1/534580/100/0/threaded
Trust: 1.1
url:http://www.securityfocus.com/archive/1/534612/100/0/threaded
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/100563
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/100566
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1437
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-1437
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/534612/100/0/threaded
Trust: 0.6
url:http://xforce.iss.net/xforce/xfdb/100566
Trust: 0.6
url:http://www.securityfocus.com/archive/1/archive/1/534579/100/0/threaded
Trust: 0.6
url:http://xforce.iss.net/xforce/xfdb/100563
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-00883 // 
            
            
            
            VULHUB: VHN-79398 // 
            
            
            
            JVNDB: JVNDB-2015-001451 // 
            
            
            
            CNNVD: CNNVD-201502-035 // 
            
            
            
            NVD: CVE-2015-1437

CREDITS
Kaustubh Padwad
Trust: 0.9
sources:
            
            
            BID: 72369 // 
            
            
            
            CNNVD: CNNVD-201502-035

SOURCES
db:CNVDid:CNVD-2015-00883
db:VULHUBid:VHN-79398
db:BIDid:72369
db:JVNDBid:JVNDB-2015-001451
db:CNNVDid:CNNVD-201502-035
db:NVDid:CVE-2015-1437

LAST UPDATE DATE
2024-11-23T22:31:10.509000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-00883date:2015-02-04T00:00:00
db:VULHUBid:VHN-79398date:2018-10-09T00:00:00
db:BIDid:72369date:2015-02-09T00:01:00
db:JVNDBid:JVNDB-2015-001451date:2015-02-13T00:00:00
db:CNNVDid:CNNVD-201502-035date:2015-03-24T00:00:00
db:NVDid:CVE-2015-1437date:2024-11-21T02:25:25.700

SOURCES RELEASE DATE
db:CNVDid:CNVD-2015-00883date:2015-02-03T00:00:00
db:VULHUBid:VHN-79398date:2015-02-04T00:00:00
db:BIDid:72369date:2015-01-29T00:00:00
db:JVNDBid:JVNDB-2015-001451date:2015-02-13T00:00:00
db:CNNVDid:CNNVD-201502-035date:2015-01-29T00:00:00
db:NVDid:CVE-2015-1437date:2015-02-04T16:59:03.123