A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser.
References
Link | Resource |
---|---|
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-xss-vulnerability-in-firewalls | Vendor Advisory |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
AND |
|
Configuration 8 (hide)
AND |
|
Configuration 9 (hide)
AND |
|
Configuration 10 (hide)
AND |
|
Configuration 11 (hide)
AND |
|
Configuration 12 (hide)
AND |
|
Configuration 13 (hide)
AND |
|
Configuration 14 (hide)
AND |
|
Configuration 15 (hide)
AND |
|
Configuration 16 (hide)
AND |
|
Configuration 17 (hide)
AND |
|
Configuration 18 (hide)
AND |
|
Configuration 19 (hide)
AND |
|
History
08 Dec 2022, 16:41
Type | Values Removed | Values Added |
---|---|---|
First Time |
Zyxel usg40w
Zyxel usg Flex 200 Zyxel vpn1000 Zyxel atp500 Firmware Zyxel usg40 Zyxel usg Flex 700 Firmware Zyxel atp100 Zyxel atp200 Firmware Zyxel vpn50 Zyxel vpn300 Zyxel usg40w Firmware Zyxel atp800 Firmware Zyxel vpn100 Zyxel Zyxel usg Flex 700 Zyxel vpn300 Firmware Zyxel atp500 Zyxel usg40 Firmware Zyxel usg Flex 100w Firmware Zyxel usg60w Zyxel atp100w Zyxel usg Flex 500 Zyxel vpn100 Firmware Zyxel usg Flex 200 Firmware Zyxel vpn1000 Firmware Zyxel usg60 Zyxel usg Flex 500 Firmware Zyxel atp100 Firmware Zyxel atp700 Firmware Zyxel vpn50 Firmware Zyxel usg60 Firmware Zyxel atp800 Zyxel usg Flex 50w Firmware Zyxel usg Flex 50w Zyxel usg Flex 100w Zyxel usg60w Firmware Zyxel atp200 Zyxel atp100w Firmware Zyxel atp700 |
|
CWE | CWE-79 | |
References | (CONFIRM) https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-xss-vulnerability-in-firewalls - Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
CPE | cpe:2.3:h:zyxel:usg40:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg60:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg60w_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg40w_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg40w:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg60_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg60w:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg40_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:* |
06 Dec 2022, 02:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-12-06 02:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-40603
Mitre link : CVE-2022-40603
CVE.ORG link : CVE-2022-40603
JSON object : View
Products Affected
zyxel
- atp200
- vpn1000_firmware
- atp100w_firmware
- usg_flex_50w
- usg_flex_500
- vpn100_firmware
- usg_flex_100w
- usg60w
- usg_flex_700
- usg60
- atp200_firmware
- vpn50
- usg_flex_500_firmware
- vpn300
- atp800_firmware
- usg40w
- vpn300_firmware
- usg40
- atp100_firmware
- vpn1000
- atp500_firmware
- usg_flex_200
- usg60_firmware
- atp800
- usg40w_firmware
- usg60w_firmware
- atp700_firmware
- atp700
- usg_flex_200_firmware
- usg_flex_50w_firmware
- usg40_firmware
- atp500
- atp100w
- usg_flex_700_firmware
- vpn50_firmware
- vpn100
- atp100
- usg_flex_100w_firmware
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')