CVE-2019-12581

Published: Jun 27, 2019Modified: Nov 21, 2024

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter.

Affected (9)

Products: Zyxel: Uag2100 Firmware, Uag4100 Firmware, Uag5100 Firmware, Usg110 Firmware, Usg210 Firmware, Usg310 Firmware, Usg1100 Firmware, Usg1900 Firmware, Usg2200 Vpn Firmware

9 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Uag2100 Firmware	Up to 4.18\(aaiz.1\)c0

Running on/with	Platform Versions
Zyxel Uag2100	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Uag4100 Firmware	Up to 4.18\(aatd.1\)c0

Running on/with	Platform Versions
Zyxel Uag4100	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Uag5100 Firmware	Up to 4.18\(aapn.1\)c0

Running on/with	Platform Versions
Zyxel Uag5100	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Usg110 Firmware	Up to 4.30

Running on/with	Platform Versions
Zyxel Usg110	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Usg210 Firmware	Up to 4.30

Running on/with	Platform Versions
Zyxel Usg210	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Usg310 Firmware	Up to 4.30

Running on/with	Platform Versions
Zyxel Usg310	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Usg1100 Firmware	Up to 4.30

Running on/with	Platform Versions
Zyxel Usg1100	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Usg1900 Firmware	Up to 4.30

Running on/with	Platform Versions
Zyxel Usg1900	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Usg2200 Vpn Firmware	Up to 4.30

Running on/with	Platform Versions
Zyxel Usg2200 Vpn	All versions

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (8)

https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/

Source: cve@mitre.org

ExploitThird Party Advisory

https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html

Source: cve@mitre.org

ExploitPatchThird Party Advisory

https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml

Source: cve@mitre.org

PatchVendor Advisory

https://www.zyxel.com/us/en/

Source: cve@mitre.org

Vendor Advisory

https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://www.zyxel.com/us/en/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.