CVE-2023-35139

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.2%

top 63.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zyxel ZLD Zyxel ATP Series Firmware Zyxel Usg20(w)-vpn Series Firmware +3 more

Timeline

PublishedNov 28

Description

A cross-site scripting (XSS) vulnerability in the CGI program of the Zyxel ATP series firmware versions 5.10 through 5.37, USG FLEX series firmware versions 5.00 through 5.37, USG FLEX 50(W) series firmware versions 5.10 through 5.37, USG20(W)-VPN series firmware versions 5.10 through 5.37, and VPN series firmware versions 5.00 through 5.37, could allow an unauthenticated LAN-based attacker to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored…

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.7

Affected Packages6 packages

▶CVEListV5zyxel/usg_flex_series_firmware versions 5.00 through 5.37

▶CVEListV5zyxel/usg_flex_50(w)_series_firmwareversions 5.10 through 5.37

▶CVEListV5zyxel/usg20(w)-vpn_series_firmware versions 5.10 through 5.37

▶CVEListV5zyxel/atp_series_firmwareversions 5.10 through 5.37

▶CVEListV5zyxel/vpn_series_firmwareversions 5.00 through 5.37

🔴Vulnerability Details

CVEList

CVE-2023-35139: A cross-site scripting (XSS) vulnerability in the CGI program of the Zyxel ATP series firmware versions 5↗2023-11-28

▶

GHSA

GHSA-wjqc-5477-jpgg: A cross-site scripting (XSS) vulnerability in the CGI program of the Zyxel ATP series firmware versions 5↗2023-11-28

▶