ASUS Routers flag Parameter XSS

medium Nessus Plugin ID 72683

Synopsis

The remote web server hosts a web page that is affected by a cross- site scripting vulnerability.

Description

The remote web server fails to sanitize user-supplied input to the 'flag' parameter of the 'error_page.htm' script before using it to generate dynamic HTML output.

An attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.

Note that this install is likely affected by an information disclosure vulnerability, although Nessus has not checked for that.

Solution

Either upgrade to firmware 3.0.0.4.374.4422 or contact the vendor.

See Also

https://www.securityfocus.com/archive/1/531194/30/0/threaded

Plugin Details

Severity: Medium

ID: 72683

File Name: asus_router_error_page_xss.nasl

Version: 1.9

Type: remote

Published: 2/25/2014

Updated: 1/19/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: x-cpe:/o:asus:rt-n10u_firmware, cpe:/o:asus:rt-n56u_firmware, cpe:/o:asus:dsl-n55u_firmware, cpe:/o:asus:rt-ac66u_firmware, x-cpe:/o:asus:rt-n15u_firmware, x-cpe:/o:asus:rt-n53_firmware

Exploit Ease: No known exploits are available

Patch Publication Date: 2/13/2014

Vulnerability Publication Date: 2/21/2014

Reference Information

BID: 65733

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990