CVE-2022-40603

A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser.

CVSS v3.0 6.1 MEDIUM

6.1^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-xss-vulnerability-in-firewalls	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:zyxel:usg40_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg40:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:zyxel:usg40w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg40w:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND

cpe:2.3:o:zyxel:usg60_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg60:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND

cpe:2.3:o:zyxel:usg60w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg60w:-:*:*:*:*:*:*:*

Information

Published : 2022-12-05 18:15

Updated : 2022-12-08 08:41

NVD link : CVE-2022-40603

Mitre link : CVE-2022-40603

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Products Affected

zyxel

usg60w
usg60
usg_flex_500
atp100_firmware
usg_flex_100w_firmware
atp100w_firmware
usg40w_firmware
atp500_firmware
atp200_firmware
atp200
usg_flex_700_firmware
usg_flex_200
vpn50_firmware
atp700_firmware
atp100
atp800
usg40w
atp800_firmware
vpn1000
usg60w_firmware
atp700
usg40_firmware
vpn50
vpn300
vpn100
usg_flex_500_firmware
atp100w
vpn300_firmware
usg40
usg_flex_700
usg_flex_200_firmware
usg_flex_50w
usg60_firmware
usg_flex_50w_firmware
atp500
vpn100_firmware
usg_flex_100w
vpn1000_firmware

6.1 /10