CVE-2025-26202

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-26202
Cross-Site Scripting (XSS) vulnerability exists in the WPA/WAPI Passphrase field of the Wireless Security settings (2.4GHz & 5GHz bands) in DZS Router Web Interface. An authenticated attacker can inject malicious JavaScript into the passphrase field, which is stored and later executed when an administrator views the passphrase via the "Click here to display" option on the Status page

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 2.7

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/A17-ba/CVE-2025-26202-Details
https://github.com/A17-ba/CVE-2025-26202-Details
Configurations

No configuration.

History

14 Mar 2025, 20:15

Type Values Removed Values Added
References
  • {'url': 'http://dzs.com', 'source': 'cve@mitre.org'}
  • {'url': 'http://znid-gpon-2428b1-0st.com', 'source': 'cve@mitre.org'}

05 Mar 2025, 16:15

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de cross site scripting (XSS) en el campo Frase de contraseña WPA/WAPI de la configuración de seguridad inalámbrica (bandas de 2,4 GHz y 5 GHz) en la interfaz web del enrutador DZS. Un atacante autenticado puede inyectar código JavaScript malicioso en el campo de frase de contraseña, que se almacena y se ejecuta posteriormente cuando un administrador ve la frase de contraseña a través de la opción "Haga clic aquí para visualizar" en la página de estado.
References () https://github.com/A17-ba/CVE-2025-26202-Details - () https://github.com/A17-ba/CVE-2025-26202-Details -
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.3
CWE CWE-79

04 Mar 2025, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-04 19:15

Updated : 2025-03-14 20:15

NVD link : CVE-2025-26202

Mitre link : CVE-2025-26202

CVE.ORG link : CVE-2025-26202

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')