Sign-up

ID

VAR-202206-2326


CVE

CVE-2022-32988


TITLE

ASUSTeK Computer Inc.  of  DSL-N14U-B1  Cross-site scripting vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2022-012754

DESCRIPTION

Cross Site Scripting (XSS) vulnerability in router Asus DSL-N14U-B1 1.1.2.3_805 via the "*list" parameters (e.g. filter_lwlist, keyword_rulelist, etc) in every ".asp" page containing a list of stored strings. The following asp files are affected: (1) cgi-bin/APP_Installation.asp, (2) cgi-bin/Advanced_ACL_Content.asp, (3) cgi-bin/Advanced_ADSL_Content.asp, (4) cgi-bin/Advanced_ASUSDDNS_Content.asp, (5) cgi-bin/Advanced_AiDisk_ftp.asp, (6) cgi-bin/Advanced_AiDisk_samba.asp, (7) cgi-bin/Advanced_DSL_Content.asp, (8) cgi-bin/Advanced_Firewall_Content.asp, (9) cgi-bin/Advanced_FirmwareUpgrade_Content.asp, (10) cgi-bin/Advanced_GWStaticRoute_Content.asp, (11) cgi-bin/Advanced_IPTV_Content.asp, (12) cgi-bin/Advanced_IPv6_Content.asp, (13) cgi-bin/Advanced_KeywordFilter_Content.asp, (14) cgi-bin/Advanced_LAN_Content.asp, (15) cgi-bin/Advanced_Modem_Content.asp, (16) cgi-bin/Advanced_PortTrigger_Content.asp, (17) cgi-bin/Advanced_QOSUserPrio_Content.asp, (18) cgi-bin/Advanced_QOSUserRules_Content.asp, (19) cgi-bin/Advanced_SettingBackup_Content.asp, (20) cgi-bin/Advanced_System_Content.asp, (21) cgi-bin/Advanced_URLFilter_Content.asp, (22) cgi-bin/Advanced_VPN_PPTP.asp, (23) cgi-bin/Advanced_VirtualServer_Content.asp, (24) cgi-bin/Advanced_WANPort_Content.asp, (25) cgi-bin/Advanced_WAdvanced_Content.asp, (26) cgi-bin/Advanced_WMode_Content.asp, (27) cgi-bin/Advanced_WWPS_Content.asp, (28) cgi-bin/Advanced_Wireless_Content.asp, (29) cgi-bin/Bandwidth_Limiter.asp, (30) cgi-bin/Guest_network.asp, (31) cgi-bin/Main_AccessLog_Content.asp, (32) cgi-bin/Main_AdslStatus_Content.asp, (33) cgi-bin/Main_Spectrum_Content.asp, (34) cgi-bin/Main_WebHistory_Content.asp, (35) cgi-bin/ParentalControl.asp, (36) cgi-bin/QIS_wizard.asp, (37) cgi-bin/QoS_EZQoS.asp, (38) cgi-bin/aidisk.asp, (39) cgi-bin/aidisk/Aidisk-1.asp, (40) cgi-bin/aidisk/Aidisk-2.asp, (41) cgi-bin/aidisk/Aidisk-3.asp, (42) cgi-bin/aidisk/Aidisk-4.asp, (43) cgi-bin/blocking.asp, (44) cgi-bin/cloud_main.asp, (45) cgi-bin/cloud_router_sync.asp, (46) cgi-bin/cloud_settings.asp, (47) cgi-bin/cloud_sync.asp, (48) cgi-bin/device-map/DSL_dashboard.asp, (49) cgi-bin/device-map/clients.asp, (50) cgi-bin/device-map/disk.asp, (51) cgi-bin/device-map/internet.asp, (52) cgi-bin/error_page.asp, (53) cgi-bin/index.asp, (54) cgi-bin/index2.asp, (55) cgi-bin/qis/QIS_PTM_manual_setting.asp, (56) cgi-bin/qis/QIS_admin_pass.asp, (57) cgi-bin/qis/QIS_annex_setting.asp, (58) cgi-bin/qis/QIS_bridge_cfg_tmp.asp, (59) cgi-bin/qis/QIS_detect.asp, (60) cgi-bin/qis/QIS_finish.asp, (61) cgi-bin/qis/QIS_ipoa_cfg_tmp.asp, (62) cgi-bin/qis/QIS_manual_setting.asp, (63) cgi-bin/qis/QIS_mer_cfg.asp, (64) cgi-bin/qis/QIS_mer_cfg_tmp.asp, (65) cgi-bin/qis/QIS_ppp_cfg.asp, (66) cgi-bin/qis/QIS_ppp_cfg_tmp.asp, (67) cgi-bin/qis/QIS_wireless.asp, (68) cgi-bin/query_wan_status.asp, (69) cgi-bin/query_wan_status2.asp, and (70) cgi-bin/start_apply.asp. ASUSTeK Computer Inc. of DSL-N14U-B1 Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with

Trust: 1.71

sources: NVD: CVE-2022-32988 // JVNDB: JVNDB-2022-012754 // VULMON: CVE-2022-32988

AFFECTED PRODUCTS

vendor:asusmodel:dsl-n14u-b1scope:eqversion:1.1.2.3_805

Trust: 1.0

vendor:asustek computermodel:dsl-n14u-b1scope: - version: -

Trust: 0.8

vendor:asustek computermodel:dsl-n14u-b1scope:eqversion:dsl-n14u-b1 firmware 1.1.2.3 805

Trust: 0.8

vendor:asustek computermodel:dsl-n14u-b1scope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-012754 // NVD: CVE-2022-32988

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-32988
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-32988
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202206-2953
value: MEDIUM

Trust: 0.6

VULMON: CVE-2022-32988
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2022-32988
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2022-32988
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2022-32988
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2022-32988 // JVNDB: JVNDB-2022-012754 // CNNVD: CNNVD-202206-2953 // NVD: CVE-2022-32988

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-012754 // NVD: CVE-2022-32988

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-2953

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202206-2953

PATCH

title:ASUS DSL-N14U-B1 Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=199840

Trust: 0.6

title: - url:https://github.com/FedericoHeichou/DSL-N14U-XSS

Trust: 0.1

title: - url:https://github.com/FedericoHeichou/CVE-2022-32988

Trust: 0.1

sources: VULMON: CVE-2022-32988 // CNNVD: CNNVD-202206-2953

EXTERNAL IDS

db:NVDid:CVE-2022-32988

Trust: 3.3

db:JVNDBid:JVNDB-2022-012754

Trust: 0.8

db:CNNVDid:CNNVD-202206-2953

Trust: 0.6

db:VULMONid:CVE-2022-32988

Trust: 0.1

sources: VULMON: CVE-2022-32988 // JVNDB: JVNDB-2022-012754 // CNNVD: CNNVD-202206-2953 // NVD: CVE-2022-32988

REFERENCES

url:https://github.com/federicoheichou/dsl-n14u-xss

Trust: 2.6

url:https://github.com/federicoheichou/cve-2022-32988

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-32988

Trust: 1.4

url:https://cxsecurity.com/cveshow/cve-2022-32988/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2022-32988 // JVNDB: JVNDB-2022-012754 // CNNVD: CNNVD-202206-2953 // NVD: CVE-2022-32988

SOURCES

db:VULMONid:CVE-2022-32988
db:JVNDBid:JVNDB-2022-012754
db:CNNVDid:CNNVD-202206-2953
db:NVDid:CVE-2022-32988

LAST UPDATE DATE

2024-08-14T13:53:12.408000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2022-32988date:2022-07-13T00:00:00
db:JVNDBid:JVNDB-2022-012754date:2023-09-01T08:14:00
db:CNNVDid:CNNVD-202206-2953date:2022-07-14T00:00:00
db:NVDid:CVE-2022-32988date:2022-07-13T01:39:51.037

SOURCES RELEASE DATE

db:VULMONid:CVE-2022-32988date:2022-07-01T00:00:00
db:JVNDBid:JVNDB-2022-012754date:2023-09-01T00:00:00
db:CNNVDid:CNNVD-202206-2953date:2022-06-30T00:00:00
db:NVDid:CVE-2022-32988date:2022-07-01T00:15:08.857