CVE-2023-27990

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
4.8MEDIUM
EPSS
0.2%
top 55.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
24
Zyxel Atp100 FirmwareZyxel Atp100w FirmwareZyxel Atp200 Firmware+21 more
Timeline
PublishedApr 24

Description

The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages24 packages

CVEListV5zyxel/usg_flex_series_firmware4.50 through 5.35
CVEListV5zyxel/atp_series_firmware4.32 through 5.35
CVEListV5zyxel/vpn_series_firmware4.30 through 5.35
NVDzyxel/usg_flex_50_firmware4.505.36
NVDzyxel/usg_flex_100_firmware4.505.36

🔴Vulnerability Details

2
CVEList
CVE-2023-27990: The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 42023-04-24
GHSA
GHSA-6qw9-cqm2-283v: The XSS vulnerability in Zyxel ATP series firmware versions 42023-04-24
CVE-2023-27990 (MEDIUM CVSS 4.8) | The cross-site scripting (XSS) vuln | cvebase.io