CVE-2022-40603 - OpenCVE

A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Zyxel	Usg60 Usg Flex 50w Firmware Usg Flex 50w Atp800 Firmware Atp500 Firmware Usg Flex 100w Atp100 Usg60w Usg40w Firmware Atp100w Usg40 Firmware Vpn50 Vpn300 Firmware Usg40 Vpn300 Vpn100 Firmware Usg Flex 700 Firmware Atp500 Atp700 Usg Flex 700 Usg60 Firmware Vpn1000 Firmware Vpn100 Atp800 Vpn1000 Atp100 Firmware Usg Flex 500 Firmware Usg60w Firmware Vpn50 Firmware Atp100w Firmware Usg Flex 200 Firmware Usg Flex 200 Atp200 Atp700 Firmware Usg40w Usg Flex 100w Firmware Usg Flex 500 Atp200 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:zyxel:usg40_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg40:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:zyxel:usg40w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg40w:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:zyxel:usg60_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg60:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND

cpe:2.3:o:zyxel:usg60w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg60w:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-xss-vulnerability-in-firewalls	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Zyxel

Published: 2022-12-06T00:00:00

Updated: 2022-12-06T00:00:00

Reserved: 2022-09-12T00:00:00

Link: CVE-2022-40603

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-12-06T02:15:09.730

Modified: 2022-12-08T16:41:37.513

Link: CVE-2022-40603

JSON object: View

Redhat Information

No data.

CWE

CWE-79