Reflective Cross-site Scripting Vulnerability in Zyxel ZyWall, USG, and UAG Devices
CVE-2019-12581

6.1MEDIUM

Key Information:

Vendor
Zyxel
Status
Uag2100 Firmware
Vendor
CVE Published:
27 June 2019

Summary

A reflective Cross-site Scripting (XSS) vulnerability exists in the free_time_failed.cgi CGI program within select Zyxel ZyWall, USG, and UAG devices. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML by manipulating the err_msg parameter. By exploiting this flaw, an attacker can potentially execute malicious scripts in the context of the user's session, leading to unauthorized actions or data compromise.

References

https://www.zyxel.com/us/en/
x_refsource_MISC
https://www.zyxel.com/support/vulnerabilities-related-to-...
x_refsource_CONFIRM
https://sec-consult.com/en/blog/advisories/reflected-cros...
x_refsource_MISC

EPSS Score

62% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.