CVE-2022-0734

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.3%

top 44.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zyxel Atp100 Firmware Zyxel Atp100w Firmware Zyxel Atp200 Firmware +33 more

Timeline

PublishedMay 24

Latest updateMay 25

Description

A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.35 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.35 through 5.20, and VPN series firmware versions 4.35 through 5.20, that could allow an attacker to obtain some information stored in the user's browser, such as cookies or session tokens, via a malicious script.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages36 packages

▶CVEListV5zyxel/usg_flex_series_firmware4.50 through 5.20

▶CVEListV5zyxel/usg/zywall_series_firmware4.35 through 4.70

▶CVEListV5zyxel/atp_series_firmware4.35 through 5.20

▶CVEListV5zyxel/vpn_series_firmware4.35 through 5.20

▶NVDzyxel/usg_flex_100_firmware4.50 — 5.20

🔴Vulnerability Details

GHSA

GHSA-3mfr-f8f8-px3w: A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series firmware versions 4↗2022-05-25

▶

CVEList

CVE-2022-0734: A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series firmware versions 4↗2022-05-24

▶