CVE-2019-16533

Published: Sep 20, 2019Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

On DrayTek Vigor2925 devices with firmware 3.8.4.3, Incorrect Access Control exists in loginset.htm, and can be used to trigger XSS. NOTE: this is an end-of-life product.

Affected (1)

Products: Draytek: Vigor2925 Firmware

Draytek

1 product

Vigor2925 Firmware

Configuration A

1 vulnerable · 7 platform

Vulnerable Software	Affected Versions
Draytek Vigor2925 Firmware	Version 3.8.4.3

Running on/with	Platform Versions
Draytek Vigor2925ac	All versions
Draytek Vigor2925fn	All versions
Draytek Vigor2925n Plus	All versions
Draytek Vigor2925vac	All versions
Draytek Vigor2925vn Plus	All versions
Draytek Vigor 2925	All versions
Draytek Vigor 2925n	All versions

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://www.draytek.com/about/security-advisory/urgent-security-updates-to-draytek-routers

Source: cve@mitre.org

https://www.facebook.com/Huang.YuHsiang.Phone/posts/1815316691945755

Source: cve@mitre.org

Third Party Advisory

https://www.draytek.com/about/security-advisory/urgent-security-updates-to-draytek-routers

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.facebook.com/Huang.YuHsiang.Phone/posts/1815316691945755

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.