CVE-2023-23313
published 2023-03-03CVE-2023-23313: Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router's web application…
PriorityP424medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.36%
27.5th percentile
Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router's web application management portal. This affects Vigor3910, Vigor1000B, Vigor2962 v4.3.2.1; Vigor2865 and Vigor2866 v4.4.1.0; Vigor2927 v4.4.2.2; and Vigor2915, Vigor2765, Vigor2766, Vigor2135 v4.4.2.0; Vigor2763 v4.4.2.1; Vigor2862 and Vigor2926 v3.9.9.0; Vigor2925 v3.9.3; Vigor2952 and Vigor3220 v3.9.7.3; Vigor2133 and Vigor2762 v3.9.6.4; and Vigor2832 v3.9.6.2.
Affected
91 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| draytek | vigor1000b_firmware | < 4.3.2.2 | 4.3.2.2 |
| draytek | vigor130_firmware | < 3.8.5.1 | 3.8.5.1 |
| draytek | vigor165_firmware | < 4.2.4.1 | 4.2.4.1 |
| draytek | vigor166_firmware | < 4.2.4.1 | 4.2.4.1 |
| draytek | vigor2133_firmware | < 3.9.6.5 | 3.9.6.5 |
| draytek | vigor2133ac_firmware | < 3.9.6.5 | 3.9.6.5 |
| draytek | vigor2133fvac_firmware | < 3.9.6.5 | 3.9.6.5 |
| draytek | vigor2133n_firmware | < 3.9.6.5 | 3.9.6.5 |
| draytek | vigor2133vac_firmware | < 3.9.6.5 | 3.9.6.5 |
| draytek | vigor2135_firmware | < 4.4.2.1 | 4.4.2.1 |
| draytek | vigor2135ac_firmware | < 4.4.2.1 | 4.4.2.1 |
| draytek | vigor2135ax_firmware | < 4.4.2.1 | 4.4.2.1 |
| draytek | vigor2135fvac_firmware | < 4.4.2.1 | 4.4.2.1 |
| draytek | vigor2135vac_firmware | < 4.4.2.1 | 4.4.2.1 |
| draytek | vigor2762_firmware | < 3.9.6.5 | 3.9.6.5 |
| draytek | vigor2762ac_firmware | < 3.9.6.5 | 3.9.6.5 |
| draytek | vigor2762n_firmware | < 3.9.6.5 | 3.9.6.5 |
| draytek | vigor2762vac_firmware | < 3.9.6.5 | 3.9.6.5 |
| draytek | vigor2763_firmware | < 4.4.2.2 | 4.4.2.2 |
| draytek | vigor2763ac_firmware | < 4.4.2.2 | 4.4.2.2 |
| draytek | vigor2765_firmware | < 4.4.2.1 | 4.4.2.1 |
| draytek | vigor2765ac_firmware | < 4.4.2.1 | 4.4.2.1 |
| draytek | vigor2765ax_firmware | < 4.4.2.1 | 4.4.2.1 |
| draytek | vigor2765va_firmware | < 4.4.2.1 | 4.4.2.1 |
| draytek | vigor2766_firmware | < 4.4.2.1 | 4.4.2.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://www.draytek.com/about/security-advisory/cross-site-scripting-vulnerability-%28cve-2023-23313%29/https://www.horizonconsulting.com/advisories23-Multiple-XSS-Stored-in-DrayTek-routers-CVE-2023-23313https://www.draytek.com/about/security-advisory/cross-site-scripting-vulnerability-%28cve-2023-23313%29/https://www.horizonconsulting.com/advisories23-Multiple-XSS-Stored-in-DrayTek-routers-CVE-2023-23313
2023-03-03
Published