XSS Vulnerability in DrayTek Vigor2925 Router
CVE-2019-16533

6.1MEDIUM

Key Information:

Vendor: Draytek
Status: Vigor2925 Firmware
Vendor: CVE Published:; 20 September 2019

What is CVE-2019-16533?

A Cross-Site Scripting (XSS) vulnerability has been identified in the loginset.htm file of DrayTek Vigor2925 routers running firmware version 3.8.4.3. This flaw permits incorrect access control, allowing attackers to execute scripts in the context of the user's session. It's important to note that DrayTek Vigor2925 is an end-of-life product, which increases the risk of exploitation. Users should consider upgrading to a supported device to mitigate security risks.

References

https://www.facebook.com/Huang.YuHsiang.Phone/posts/18153...

x_refsource_MISC

https://www.draytek.com/about/security-advisory/urgent-se...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 20, 2019
Vulnerability Reserved
Sep 19, 2019

Draytek

What is CVE-2019-16533?

References

CVSS V3.1

Timeline