cbcvebase.
CVE-2023-23313
published 2023-03-03

CVE-2023-23313: Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router's web application…

PriorityP424medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.36%
27.5th percentile
Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router's web application management portal. This affects Vigor3910, Vigor1000B, Vigor2962 v4.3.2.1; Vigor2865 and Vigor2866 v4.4.1.0; Vigor2927 v4.4.2.2; and Vigor2915, Vigor2765, Vigor2766, Vigor2135 v4.4.2.0; Vigor2763 v4.4.2.1; Vigor2862 and Vigor2926 v3.9.9.0; Vigor2925 v3.9.3; Vigor2952 and Vigor3220 v3.9.7.3; Vigor2133 and Vigor2762 v3.9.6.4; and Vigor2832 v3.9.6.2.

Affected

91 ranges· showing 25
VendorProductVersion rangeFixed in
draytekvigor1000b_firmware< 4.3.2.24.3.2.2
draytekvigor130_firmware< 3.8.5.13.8.5.1
draytekvigor165_firmware< 4.2.4.14.2.4.1
draytekvigor166_firmware< 4.2.4.14.2.4.1
draytekvigor2133_firmware< 3.9.6.53.9.6.5
draytekvigor2133ac_firmware< 3.9.6.53.9.6.5
draytekvigor2133fvac_firmware< 3.9.6.53.9.6.5
draytekvigor2133n_firmware< 3.9.6.53.9.6.5
draytekvigor2133vac_firmware< 3.9.6.53.9.6.5
draytekvigor2135_firmware< 4.4.2.14.4.2.1
draytekvigor2135ac_firmware< 4.4.2.14.4.2.1
draytekvigor2135ax_firmware< 4.4.2.14.4.2.1
draytekvigor2135fvac_firmware< 4.4.2.14.4.2.1
draytekvigor2135vac_firmware< 4.4.2.14.4.2.1
draytekvigor2762_firmware< 3.9.6.53.9.6.5
draytekvigor2762ac_firmware< 3.9.6.53.9.6.5
draytekvigor2762n_firmware< 3.9.6.53.9.6.5
draytekvigor2762vac_firmware< 3.9.6.53.9.6.5
draytekvigor2763_firmware< 4.4.2.24.4.2.2
draytekvigor2763ac_firmware< 4.4.2.24.4.2.2
draytekvigor2765_firmware< 4.4.2.14.4.2.1
draytekvigor2765ac_firmware< 4.4.2.14.4.2.1
draytekvigor2765ax_firmware< 4.4.2.14.4.2.1
draytekvigor2765va_firmware< 4.4.2.14.4.2.1
draytekvigor2766_firmware< 4.4.2.14.4.2.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.