CVE-2024-42061

Published: Sep 3, 2024Modified: Dec 13, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: security@zyxel.com.tw (Secondary)

Description

A reflected cross-site scripting (XSS) vulnerability in the CGI program "dynamic_script.cgi" of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.

Affected (3)

Products: Zyxel: Zld

Zyxel

1 product

Zld

Configuration A

1 vulnerable · 6 platform

Vulnerable Software	Affected Versions
Zyxel Zld	From 4.32 to 5.39

Running on/with	Platform Versions
Zyxel Atp100	All versions
Zyxel Atp100w	All versions
Zyxel Atp200	All versions
Zyxel Atp500	All versions
Zyxel Atp700	All versions
Zyxel Atp800	All versions

Configuration B

1 vulnerable · 7 platform

Vulnerable Software	Affected Versions
Zyxel Zld	From 4.50 to 5.39

Running on/with	Platform Versions
Zyxel Usg Flex 100	All versions
Zyxel Usg Flex 100ax	All versions
Zyxel Usg Flex 100w	All versions
Zyxel Usg Flex 200	All versions
Zyxel Usg Flex 50	All versions
Zyxel Usg Flex 500	All versions
Zyxel Usg Flex 700	All versions

Configuration C

1 platform

Running on/with	Platform Versions
Zyxel Usg Flex 50w	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zyxel Zld	From 4.16 to 5.39

Running on/with	Platform Versions
Zyxel Usg 20w Vpn	All versions

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024

Source: security@zyxel.com.tw

Vendor Advisory

Timeline

No history available yet.