CVE-2022-2030

CWE-22 — Path Traversal4 documents4 sources

Severity

6.5MEDIUM

EPSS

1.3%

top 20.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zyxel Atp100 Firmware Zyxel Atp100w Firmware Zyxel Atp200 Firmware +28 more

Timeline

PublishedJul 19

Latest updateApr 5

Description

A directory traversal vulnerability caused by specific character sequences within an improperly sanitized URL was identified in some CGI programs of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 throug…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages34 packages

▶NVDzyxel/usg_flex_200_firmware4.50 — 5.30

▶NVDzyxel/usg_flex_500_firmware4.50 — 5.30

▶NVDzyxel/usg_flex_50w_firmware4.20 — 5.30

▶NVDzyxel/usg_flex_700_firmware4.50 — 5.30

▶NVDzyxel/usg_flex_100w_firmware4.50 — 5.30

🔴Vulnerability Details

GHSA

GHSA-cq2h-7r44-f9vg: A directory traversal vulnerability caused by specific character sequences within an improperly sanitized URL was identified in some CGI programs of Z↗2022-07-20

▶

CVEList

CVE-2022-2030: A directory traversal vulnerability caused by specific character sequences within an improperly sanitized URL was identified in some CGI programs of Z↗2022-07-19

▶

💥Exploits & PoCs

Exploit-DB

Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE)↗2023-04-05

▶