Cross-Site Scripting in DrayTek Vigor2925 Router
CVE-2019-16534

6.1MEDIUM

Key Information:

Vendor: Draytek
Status: Vigor2925 Firmware
Vendor: CVE Published:; 20 September 2019

Summary

A cross-site scripting vulnerability exists in DrayTek Vigor2925 devices with firmware version 3.8.4.3, which can be exploited through a specially crafted WAN name input on the General Setup screen. This could potentially allow attackers to execute arbitrary scripts in the context of the user’s session, compromising user data and leading to unauthorized actions. It is important to note that this product is classified as end-of-life, potentially impacting the availability of updates or patches.

References

https://www.facebook.com/Huang.YuHsiang.Phone/posts/18153...

x_refsource_MISC

https://www.draytek.com/about/security-advisory/urgent-se...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 20, 2019
Vulnerability Reserved
Sep 19, 2019