CVE-2023-31195

Description

ASUS Router RT-AX3000 Firmware versions prior to 3.0.0.4.388.23403 uses sensitive cookies without 'Secure' attribute. When an attacker is in a position to be able to mount a man-in-the-middle attack, and a user is tricked to log into the affected device through an unencrypted ('http') connection, the user's session may be hijacked.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected products

ASUSTeK COMPUTER INC. / ASUS Router RT-AX3000Firmware versions prior to 3.0.0.4.388.23403 – Firmware versions prior to 3.0.0.4.388.23403

References

MISChttps://www.asus.com/networking-iot-servers/wifi-routers/asus-wifi-routers/rt-ax3000/helpdesk_bios/?model2Name=RT-AX3000
MISChttps://jvn.jp/en/jp/JVN34232595/