Lucene search

ZyxelCVE-2024-42061

HistorySep 03, 2024 - 3:15 a.m.

CVE-2024-42061

2024-09-0303:15:03

CWE-79

Zyxel

web.nvd.nist.gov

cross-site scripting

zyxel atp

usg flex

usg20(w)-vpn

reflected

security vulnerability

browser-based information

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

17.7%

JSON

A reflected cross-site scripting (XSS) vulnerability in the CGI program “dynamic_script.cgi” of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.

Affected configurations

Nvd

Node

zyxelzld_firmwareRange4.32–5.39

AND

zyxelatp100Match-

zyxelatp100wMatch-

zyxelatp200Match-

zyxelatp500Match-

zyxelatp700Match-

zyxelatp800Match-

Node

zyxelzld_firmwareRange4.50–5.39

AND

zyxelusg_flex_100Match-

zyxelusg_flex_100axMatch-

zyxelusg_flex_100wMatch-

zyxelusg_flex_200Match-

zyxelusg_flex_50Match-

zyxelusg_flex_500Match-

zyxelusg_flex_700Match-

Node

zyxelzld_firmwareRange4.16–5.39

AND

zyxelusg_flex_50wMatch-

Node

zyxelzld_firmwareRange4.16–5.39

AND

zyxelusg_20w-vpnMatch-

VendorProductVersionCPE
zyxelzld_firmware*cpe:2.3:o:zyxel:zld_firmware:*:*:*:*:*:*:*:*
zyxelatp100-cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*
zyxelatp100w-cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*
zyxelatp200-cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*
zyxelatp500-cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*
zyxelatp700-cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*
zyxelatp800-cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*
zyxelusg_flex_100-cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*
zyxelusg_flex_100ax-cpe:2.3:h:zyxel:usg_flex_100ax:-:*:*:*:*:*:*:*
zyxelusg_flex_100w-cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zyxel	zld_firmware	*	cpe:2.3:o:zyxel:zld_firmware::::::::
zyxel	atp100	-	cpe:2.3:h:zyxel:atp100:-:::::::*
zyxel	atp100w	-	cpe:2.3:h:zyxel:atp100w:-:::::::*
zyxel	atp200	-	cpe:2.3:h:zyxel:atp200:-:::::::*
zyxel	atp500	-	cpe:2.3:h:zyxel:atp500:-:::::::*
zyxel	atp700	-	cpe:2.3:h:zyxel:atp700:-:::::::*
zyxel	atp800	-	cpe:2.3:h:zyxel:atp800:-:::::::*
zyxel	usg_flex_100	-	cpe:2.3:h:zyxel:usg_flex_100:-:::::::*
zyxel	usg_flex_100ax	-	cpe:2.3:h:zyxel:usg_flex_100ax:-:::::::*
zyxel	usg_flex_100w	-	cpe:2.3:h:zyxel:usg_flex_100w:-:::::::*

Rows per page:

1-10 of 161

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "ATP series firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "versions V4.32 through V5.38"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "USG FLEX series firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "versions V4.50 through V5.38"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "USG FLEX 50(W) series firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "versions V4.16 through V5.38"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "USG20(W)-VPN series firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "versions V4.16 through V5.38"
      }
    ]
  }
]

References

www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

17.7%

JSON

Related for CVE-2024-42061