Cross-Site Scripting Vulnerability in ZyXEL SBG-3300 Security Gateway
CVE-2014-7277

Currently unrated

Key Information:

Vendor: Zyxel
Status: Sbg3300-n Firmware; Sbg3300-n
Vendor: CVE Published:; 4 October 2014

Summary

The ZyXEL SBG-3300 Security Gateway is affected by a Cross-Site Scripting (XSS) vulnerability in its login page, which allows remote attackers to inject arbitrary web scripts or HTML through unfiltered 'welcome message' form data. This improper handling occurs during the rendering of the loginMessage list item, potentially leading to exploitation of session tokens or redirection to malicious websites. Users of firmware version 1.00(AADY.4)C0 and earlier should be vigilant, as this flaw remains unpatched in the affected versions.

References

http://archives.neohapsis.com/archives/bugtraq/2014-10/00...

mailing-listx_refsource_BUGTRAQ

http://seclists.org/fulldisclosure/2014/Oct/19

mailing-listx_refsource_FULLDISC

http://www.securityfocus.com/bid/70232

vdb-entryx_refsource_BID

Timeline

Vulnerability published
Oct 4, 2014
Vulnerability Reserved
Oct 1, 2014