Lucene search

[email protected]NVD:CVE-2023-35720

HistoryMay 03, 2024 - 2:15 a.m.

CVE-2023-35720

2024-05-0302:15:34

CWE-89

[email protected]

web.nvd.nist.gov

asus rt-ax92u

mod_webdav.so

sql injection

information disclosure

vulnerability

6.5 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

16.2%

JSON

ASUS RT-AX92U lighttpd mod_webdav.so SQL Injection Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected ASUS RT-AX92U routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the mod_webdav.so module. When parsing a request, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-16078.

References

www.asus.com/networking-iot-servers/whole-home-mesh-wifi-system/aimesh-wifi-routers-and-systems/rt-ax92u/helpdesk_bios/?model2Name=RT-AX92U

www.zerodayinitiative.com/advisories/ZDI-23-1166/

6.5 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

16.2%

JSON

Related for NVD:CVE-2023-35720

cvelist1 vulnrichment1 cve1 zdi1