Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-12581Cross-site Scripting in Zyxel Uag2100 Firmware

CWE-79Cross-site Scripting4 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
35.8%
top 2.91%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
9
Zyxel Uag2100 FirmwareZyxel Uag4100 FirmwareZyxel Uag5100 Firmware+6 more
Timeline
PublishedJun 27
Latest updateMay 24

Description

A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages9 packages

NVDzyxel/uag2100_firmware4.18\(aaiz.1\)c0
NVDzyxel/uag4100_firmware4.18\(aatd.1\)c0

Patches

Patch: sec-consult.comPatch: www.zyxel.comPatch: sec-consult.com

🔴Vulnerability Details

2
GHSA
GHSA-5f8r-3j92-cp9m: A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed2022-05-24
CVEList
CVE-2019-12581: A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed2019-06-27

💥Exploits & PoCs

1
Nuclei
Zyxel ZyWal/USG/UAG Devices - Cross-Site Scripting
CVE-2019-12581 — Cross-site Scripting in Zyxel | cvebase