Sign-up

ID

VAR-201703-1109


CVE

CVE-2017-6547


TITLE

ASUS RT-AC53 Run on device ASUSWRT of httpd Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-002137

DESCRIPTION

Cross-site scripting (XSS) vulnerability in httpd on ASUS RT-N56U, RT-N66U, RT-AC66U, RT-N66R, RT-AC66R, RT-AC68U, RT-AC68R, RT-N66W, RT-AC66W, RT-AC87R, RT-AC87U, RT-AC51U, RT-AC68P, RT-N11P, RT-N12+, RT-N12E B1, RT-AC3200, RT-AC53U, RT-AC1750, RT-AC1900P, RT-N300, and RT-AC750 routers with firmware before 3.0.0.4.380.7378; RT-AC68W routers with firmware before 3.0.0.4.380.7266; and RT-N600, RT-N12+ B1, RT-N11P B1, RT-N12VP B1, RT-N12E C1, RT-N300 B1, and RT-N12+ Pro routers with firmware before 3.0.0.4.380.9488 allows remote attackers to inject arbitrary JavaScript by requesting filenames longer than 50 characters. ASUS RT-AC53 Run on device ASUSWRT of httpd Contains a cross-site scripting vulnerability.By a remote attacker, 50 By requesting a file name longer than 1 character, JavaScript May be inserted. Asus ASUSWRT is prone to the following multiple security vulnerabilities. 1. A buffer-overflow vulnerability 2. A cross-site-scripting vulnerability. 3. A session-hijacking vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application or steal cookie-based authentication credentials and gain unauthorized access. Failed exploit attempts will likely cause denial-of-service conditions. ASUS RT-AC53 is a wireless router made by ASUS. ASUS ASUSWRT is one of the wireless connection firmware. The httpd of ASUS ASUSWRT in RT-AC53 with firmware version 3.0.0.4.380.6038 has a cross-site scripting vulnerability

Trust: 1.98

sources: NVD: CVE-2017-6547 // JVNDB: JVNDB-2017-002137 // BID: 96938 // VULHUB: VHN-114750

AFFECTED PRODUCTS

vendor:asusmodel:rt-ac53scope:eqversion:3.0.0.4.380.6038

Trust: 1.6

vendor:asustek computermodel:rt-ac53scope: - version: -

Trust: 0.8

vendor:asustek computermodel:rt-ac53scope:eqversion:3.0.0.4.380.6038

Trust: 0.8

vendor:asusmodel:asuswrt rt-ac53scope:eqversion:3.0.0.4.380.6038

Trust: 0.3

vendor:asusmodel:asuswrt rt-ac53scope:eqversion:0

Trust: 0.3

sources: BID: 96938 // JVNDB: JVNDB-2017-002137 // CNNVD: CNNVD-201703-323 // NVD: CVE-2017-6547

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-6547
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-6547
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201703-323
value: MEDIUM

Trust: 0.6

VULHUB: VHN-114750
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-6547
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-114750
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-6547
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-114750 // JVNDB: JVNDB-2017-002137 // CNNVD: CNNVD-201703-323 // NVD: CVE-2017-6547

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-114750 // JVNDB: JVNDB-2017-002137 // NVD: CVE-2017-6547

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-323

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201703-323

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-002137

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-114750

PATCH
title:RT-AC53url:https://www.asus.com/us/Networking/RT-AC53/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-002137

EXTERNAL IDS
db:NVDid:CVE-2017-6547
Trust: 2.8
db:BIDid:96938
Trust: 1.4
db:EXPLOIT-DBid:41571
Trust: 1.1
db:JVNDBid:JVNDB-2017-002137
Trust: 0.8
db:CNNVDid:CNNVD-201703-323
Trust: 0.7
db:PACKETSTORMid:142066
Trust: 0.1
db:SEEBUGid:SSVID-92758
Trust: 0.1
db:VULHUBid:VHN-114750
Trust: 0.1
sources:
            
            
            VULHUB: VHN-114750 // 
            
            
            
            BID: 96938 // 
            
            
            
            JVNDB: JVNDB-2017-002137 // 
            
            
            
            CNNVD: CNNVD-201703-323 // 
            
            
            
            NVD: CVE-2017-6547

REFERENCES
url:https://bierbaumer.net/security/asuswrt/#cross-site-scripting-xss
Trust: 2.5
url:http://www.securityfocus.com/bid/96938
Trust: 1.1
url:https://www.exploit-db.com/exploits/41571/
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6547
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-6547
Trust: 0.8
url:https://bierbaumer.net/security/asuswrt/#
Trust: 0.3
url:https://www.asus.com/asuswrt/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-114750 // 
            
            
            
            BID: 96938 // 
            
            
            
            JVNDB: JVNDB-2017-002137 // 
            
            
            
            CNNVD: CNNVD-201703-323 // 
            
            
            
            NVD: CVE-2017-6547

CREDITS
bruno
Trust: 0.3
sources:
            
            
            BID: 96938

SOURCES
db:VULHUBid:VHN-114750
db:BIDid:96938
db:JVNDBid:JVNDB-2017-002137
db:CNNVDid:CNNVD-201703-323
db:NVDid:CVE-2017-6547

LAST UPDATE DATE
2024-11-23T20:22:30.851000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-114750date:2017-08-16T00:00:00
db:BIDid:96938date:2017-03-23T00:01:00
db:JVNDBid:JVNDB-2017-002137date:2017-03-30T00:00:00
db:CNNVDid:CNNVD-201703-323date:2017-03-30T00:00:00
db:NVDid:CVE-2017-6547date:2024-11-21T03:29:59.913

SOURCES RELEASE DATE
db:VULHUBid:VHN-114750date:2017-03-09T00:00:00
db:BIDid:96938date:2017-03-09T00:00:00
db:JVNDBid:JVNDB-2017-002137date:2017-03-30T00:00:00
db:CNNVDid:CNNVD-201703-323date:2017-03-09T00:00:00
db:NVDid:CVE-2017-6547date:2017-03-09T09:59:00.160