CVE-2023-27990
24.04.2023, 18:15
The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device.
| Vendor | Product | Version |
|---|---|---|
| zyxel | atp200_firmware | 4.32 ≤ 𝑥 < 5.36 |
| zyxel | atp100_firmware | 4.32 ≤ 𝑥 < 5.36 |
| zyxel | atp700_firmware | 4.32 ≤ 𝑥 < 5.36 |
| zyxel | atp500_firmware | 4.32 ≤ 𝑥 < 5.36 |
| zyxel | atp100w_firmware | 4.32 ≤ 𝑥 < 5.36 |
| zyxel | atp800_firmware | 4.32 ≤ 𝑥 < 5.36 |
| zyxel | usg_flex_100_firmware | 4.50 ≤ 𝑥 < 5.36 |
| zyxel | usg_flex_50_firmware | 4.50 ≤ 𝑥 < 5.36 |
| zyxel | usg_flex_200_firmware | 4.50 ≤ 𝑥 < 5.36 |
| zyxel | usg_flex_500_firmware | 4.50 ≤ 𝑥 < 5.36 |
| zyxel | usg_flex_700_firmware | 4.50 ≤ 𝑥 < 5.36 |
| zyxel | usg_flex_100w_firmware | 4.50 ≤ 𝑥 < 5.36 |
| zyxel | usg_20w-vpn_firmware | 4.16 ≤ 𝑥 < 5.36 |
| zyxel | usg_flex_50w_firmware | 4.16 ≤ 𝑥 < 5.36 |
| zyxel | usg20-vpn_firmware | 4.30 ≤ 𝑥 < 5.36 |
| zyxel | vpn100_firmware | 4.30 ≤ 𝑥 < 5.36 |
| zyxel | vpn1000_firmware | 4.30 ≤ 𝑥 < 5.36 |
| zyxel | vpn300_firmware | 4.30 ≤ 𝑥 < 5.36 |
| zyxel | vpn50_firmware | 4.30 ≤ 𝑥 < 5.36 |
𝑥
= Vulnerable software versions
References