Lucene search

[email protected]CVE-2022-40603

HistoryDec 06, 2022 - 2:15 a.m.

CVE-2022-40603

2022-12-0602:15:09

CWE-79

[email protected]

web.nvd.nist.gov

cve-2022-40603

xss

zyxel

zywall

usg

vpn

flex

atp

firmware vulnerability

security advisory

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.3%

JSON

A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser.

Affected configurations

NVD

Node

zyxelatp800Match-

AND

zyxelatp800_firmwareRange4.32–5.31

Node

zyxelatp700Match-

AND

zyxelatp700_firmwareRange4.32–5.31

Node

zyxelatp500Match-

AND

zyxelatp500_firmwareRange4.32–5.31

Node

zyxelatp200_firmwareRange4.32–5.31

AND

zyxelatp200Match-

Node

zyxelatp100_firmwareRange4.32–5.31

AND

zyxelatp100Match-

Node

zyxelatp100w_firmwareRange4.32–5.31

AND

zyxelatp100wMatch-

Node

zyxelusg_flex_100w_firmwareRange4.50–5.31

AND

zyxelusg_flex_100wMatch-

Node

zyxelusg_flex_200_firmwareRange4.50–5.31

AND

zyxelusg_flex_200Match-

Node

zyxelusg_flex_500_firmwareRange4.50–5.31

AND

zyxelusg_flex_500Match-

Node

zyxelusg_flex_700_firmwareRange4.50–5.31

AND

zyxelusg_flex_700Match-

Node

zyxelusg_flex_50w_firmwareRange4.50–5.31

AND

zyxelusg_flex_50wMatch-

Node

zyxelvpn1000_firmwareRange4.30–5.31

AND

zyxelvpn1000Match-

Node

zyxelvpn300_firmwareRange4.30–5.31

AND

zyxelvpn300Match-

Node

zyxelvpn100_firmwareRange4.30–5.31

AND

zyxelvpn100Match-

Node

zyxelvpn50_firmwareRange4.30–5.31

AND

zyxelvpn50Match-

Node

zyxelusg40_firmwareRange4.30–4.72

AND

zyxelusg40Match-

Node

zyxelusg40w_firmwareRange4.30–4.72

AND

zyxelusg40wMatch-

Node

zyxelusg60_firmwareRange4.30–4.72

AND

zyxelusg60Match-

Node

zyxelusg60w_firmwareRange4.30–4.72

AND

zyxelusg60wMatch-

CPENameOperatorVersion
zyxel:atp800_firmwarezyxel atp800 firmwarele5.31

CPE	Name	Operator	Version
zyxel:atp800_firmware	zyxel atp800 firmware	le	5.31

CNA Affected

[
  {
    "vendor": "Zyxel",
    "product": "ZyWALL/USG series firmware",
    "versions": [
      {
        "version": "4.30 through 4.72",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Zyxel",
    "product": "VPN series firmware",
    "versions": [
      {
        "version": "4.30 through 5.31",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Zyxel",
    "product": "USG FLEX series firmware",
    "versions": [
      {
        "version": "4.50 through 5.31",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Zyxel",
    "product": "ATP series firmware",
    "versions": [
      {
        "version": "4.32 through 5.31",
        "status": "affected"
      }
    ]
  }
]

References

www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-xss-vulnerability-in-firewalls

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.3%

JSON

Related for CVE-2022-40603

prion1 nvd1 cvelist1