CVE-2024-42061

A reflected cross-site scripting (XSS) vulnerability in the CGI program "dynamic_script.cgi" of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:zyxel:zld_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:zyxel:atp100:-:::::::*
	cpe:2.3:h:zyxel:atp100w:-:::::::*
	cpe:2.3:h:zyxel:atp200:-:::::::*
	cpe:2.3:h:zyxel:atp500:-:::::::*
	cpe:2.3:h:zyxel:atp700:-:::::::*
	cpe:2.3:h:zyxel:atp800:-:::::::*

Configuration 2 (hide)

AND

cpe:2.3:o:zyxel:zld_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:zyxel:usg_flex_100:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_100ax:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_100w:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_200:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_50:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_500:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_700:-:::::::*

Configuration 3 (hide)

AND

cpe:2.3:o:zyxel:zld_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:zyxel:zld_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*

History

05 Sep 2024, 14:32

Type	Values Removed	Values Added
First Time		Zyxel usg Flex 100ax Zyxel usg 20w-vpn Zyxel usg Flex 200 Zyxel usg Flex 100 Zyxel atp700 Zyxel usg Flex 500 Zyxel atp800 Zyxel atp500 Zyxel atp100 Zyxel usg Flex 700 Zyxel usg Flex 100w Zyxel usg Flex 50w Zyxel usg Flex 50 Zyxel Zyxel atp100w Zyxel zld Firmware Zyxel atp200
References	~~() https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024 -~~	() https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024 - Vendor Advisory
CPE		cpe:2.3:h:zyxel:atp100w:-:::::::* cpe:2.3:o:zyxel:zld_firmware:::::::: cpe:2.3:h:zyxel:atp800:-:::::::* cpe:2.3:h:zyxel:usg_flex_100:-:::::::* cpe:2.3:h:zyxel:usg_flex_100w:-:::::::* cpe:2.3:h:zyxel:usg_flex_700:-:::::::* cpe:2.3:h:zyxel:usg_flex_50w:-:::::::* cpe:2.3:h:zyxel:usg_flex_200:-:::::::* cpe:2.3:h:zyxel:usg_20w-vpn:-:::::::* cpe:2.3:h:zyxel:atp100:-:::::::* cpe:2.3:h:zyxel:atp200:-:::::::* cpe:2.3:h:zyxel:atp700:-:::::::* cpe:2.3:h:zyxel:usg_flex_50:-:::::::* cpe:2.3:h:zyxel:usg_flex_100ax:-:::::::* cpe:2.3:h:zyxel:atp500:-:::::::* cpe:2.3:h:zyxel:usg_flex_500:-:::::::*

03 Sep 2024, 12:59

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de Cross-site Scripting (XSS) reflejado en el programa CGI "dynamic_script.cgi" de las versiones de firmware de la serie Zyxel ATP desde la V4.32 hasta la V5.38, las versiones de firmware de la serie USG FLEX desde la V4.50 hasta la V5.38, las versiones de firmware de la serie USG FLEX 50(W) desde la V4.16 hasta la V5.38 y las versiones de firmware de la serie USG20(W)-VPN desde la V4.16 hasta la V5.38 podría permitir a un atacante engañar a un usuario para que visite una URL manipulada con el payload XSS. El atacante podría obtener información basada en el navegador si el script malicioso se ejecuta en el navegador de la víctima.

03 Sep 2024, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-03 03:15

Updated : 2024-09-05 14:32

NVD link : CVE-2024-42061

Mitre link : CVE-2024-42061

CVE.ORG link : CVE-2024-42061

JSON object : View

Products Affected

zyxel

usg_flex_100
zld_firmware
atp800
usg_20w-vpn
usg_flex_50
usg_flex_100ax
usg_flex_700
usg_flex_100w
usg_flex_200
usg_flex_500
usg_flex_50w
atp500
atp700
atp200
atp100w
atp100

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

JSON object

Attach tags to CVE-2024-42061

6.1^/10

Attach tags to `CVE-2024-42061`