CVE-2020-28968

Published: Oct 22, 2021Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.

Affected (13)

Products: Draytek: Vigorap 1000c Firmware, Vigorap 700 Firmware, Vigorap 710 Firmware, Vigorap 800 Firmware, Vigorap 802 Firmware, Vigorap 810 Firmware, Vigorap 900 Firmware, Vigorap 902 Firmware, Vigorap 903 Firmware, Vigorap 910c Firmware, Vigorap 912c Firmware, Vigorap 918r Firmware, Vigorap 920r Firmware

Draytek

13 products

Vigorap 1000c Firmware

Vigorap 910c Firmware

Vigorap 912c Firmware

Vigorap 918r Firmware

Vigorap 920r Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigorap 1000c Firmware	Version 1.3.2

Running on/with	Platform Versions
Draytek Vigorap 1000c	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigorap 700 Firmware	Version 1.11

Running on/with	Platform Versions
Draytek Vigorap 700	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigorap 710 Firmware	Version 1.2.5

Running on/with	Platform Versions
Draytek Vigorap 710	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigorap 800 Firmware	Version 1.1.4

Running on/with	Platform Versions
Draytek Vigorap 800	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigorap 802 Firmware	Version 1.3.2

Running on/with	Platform Versions
Draytek Vigorap 802	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigorap 810 Firmware	Version 1.2.5

Running on/with	Platform Versions
Draytek Vigorap 810	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigorap 900 Firmware	Version 1.2.0

Running on/with	Platform Versions
Draytek Vigorap 900	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigorap 902 Firmware	Version 1.2.5

Running on/with	Platform Versions
Draytek Vigorap 902	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigorap 903 Firmware	Version 1.3.1

Running on/with	Platform Versions
Draytek Vigorap 903	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigorap 910c Firmware	Version 1.2.5

Running on/with	Platform Versions
Draytek Vigorap 910c	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigorap 912c Firmware	Version 1.3.2

Running on/with	Platform Versions
Draytek Vigorap 912c	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigorap 918r Firmware	Version 1.3.2

Running on/with	Platform Versions
Draytek Vigorap 918r	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Draytek Vigorap 920r Firmware	Version 1.3.0

Running on/with	Platform Versions
Draytek Vigorap 920r	All versions

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://www.vulnerability-lab.com/get_content.php?id=2244

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.vulnerability-lab.com/get_content.php?id=2244

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.