CVE-2017-14699
Severity CVSS v4.0:
Pending analysis
Type:
CWE-611
Improper Restriction of XML External Entity Reference ('XXE')
Publication date:
29/01/2018
Last modified:
22/02/2018
Description
Multiple XML external entity (XXE) vulnerabilities in the AiCloud feature on ASUS DSL-AC51, DSL-AC52U, DSL-AC55U, DSL-N55U C1, DSL-N55U D1, DSL-AC56U, DSL-N10_C1, DSL-N12U C1, DSL-N12E C1, DSL-N14U, DSL-N14U-B1, DSL-N16, DSL-N16U, DSL-N17U, DSL-N66U, and DSL-AC750 routers allow remote authenticated users to read arbitrary files via a crafted DTD in (1) an UPDATEACCOUNT or (2) a PROPFIND request.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Base Score 2.0
4.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:asus:dsl-ac51_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:asus:dsl-ac51:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:asus:dsl-ac52u_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:asus:dsl-ac52u:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:asus:dsl-ac55u_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:asus:dsl-ac55u:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:asus:dsl-n55u_c1_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:asus:dsl-n55u_c1:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:asus:dsl-n55u_d1_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:asus:dsl-n55u_d1:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:asus:dsl-ac56u_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:asus:dsl-ac56u:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:asus:dsl-n10_c1_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:asus:dsl-n10_c1:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:asus:dsl-n12u_c1_firmware:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page