9.8

CVE-2016-6558

A command injection vulnerability exists in apply.cgi on the ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, web interface specifically in the action_script parameter. The action_script parameter specifies a script to be executed if the action_mode parameter does not contain a valid state. If the input provided by action_script does not match one of the hard coded options, then it will be executed as the argument of either a system() or an eval() call allowing arbitrary commands to be executed.

Data is provided by the National Vulnerability Database (NVD)
AsusRp-ac52 Firmware Version <= 1.0.1.1s
   AsusRp-ac52 Version-
AsusEa-n66 Firmware Version-
   AsusEa-n66 Version-
AsusRp-n12 Firmware Version-
   AsusRp-n12 Version-
AsusRp-n14 Firmware Version-
   AsusRp-n14 Version-
AsusRp-n53 Firmware Version-
   AsusRp-n53 Version-
AsusRp-ac56 Firmware Version-
   AsusRp-ac56 Version-
AsusWmp-n12 Firmware Version-
   AsusWmp-n12 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 4.24% 0.883
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://www.kb.cert.org/vuls/id/763843
Third Party Advisory
US Government Resource
https://www.securityfocus.com/bid/93596
Third Party Advisory
VDB Entry