CVE-2024-42061

Sept. 3, 2024, 12:59 p.m.

Undergoing Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Zyxel ATP series

  • V4.32 - V5.38

USG FLEX series

  • V4.50 - V5.38

USG FLEX 50(W) series

  • V4.16 - V5.38

USG20(W)-VPN series

  • V4.16 - V5.38

Source

security@zyxel.com.tw

Tags

CVE-2024-42061 details

Published : Sept. 3, 2024, 3:15 a.m.
Last Modified : Sept. 3, 2024, 12:59 p.m.

Description

A reflected cross-site scripting (XSS) vulnerability in the CGI program "dynamic_script.cgi" of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.

CVSS Score

1 2 3 4 5 6.1 7 8 9 10

Weakness

Weakness Name Description
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

Base Score

6.1

Exploitability Score

2.8

Impact Score

2.7

Base Severity

MEDIUM

This website uses the NVD API, but is not approved or certified by it.