Asus RT-N10 Plus Cross Site Scripting CVE-2015-1437


ASUS Router RT-N10 Plus is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the result_of_get_changed_status.asp script. A remote authenticated attacker could exploit this vulnerability using the flag parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

Technical details

Multiple cross-site scripting (XSS) vulnerabilities in Asus RT-N10+ D1 router with firmware allow remote attackers to inject arbitrary web script or HTML via the flag parameter to (1) result_of_get_changed_status.asp or (2) error_page.htm.

CVSS Scores & Vulnerability Types

CVSS Score
Confidentiality Impact None (There is no impact to the confidentiality of the system.)
Integrity Impact Partial (Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Availability Impact None (There is no impact to the availability of the system.)
Access Complexity Medium (The access conditions are somewhat specialized. Some preconditions must be satistified to exploit)
Authentication Not required (Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s) Cross Site Scripting


It is possible to compromise  a  complete network which is running on Asus router with some social engineering trick just user have to visit a specially crafted request and this may leads to compromise  his system using a browser exploitation framework.

References to Advisories, Solutions, and Tools

External Source: MISC


External Source: BUGTRAQ

Name: 20150203 CVE-2015-1437 XSS In ASUS Router.

External Source: BUGTRAQ

Name: 20150129 Reflected XSS vulnarbility in Asus RT-N10 Plus Router

External Source: XF

Name: asus-rtn10-resultstatus-xss(100566)

External Source: BID

Name: 72369

External Source: XF

Name: asus-rtn10-errorpage-xss(100563)

External Source: BUGTRAQ

Name: 20150129 Unauthenticated Reflected XSS vulnarbility in Asus RT-N10 Plus router



Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.