Cross-Site Scripting Vulnerability in Zyxel ATP and USG FLEX Firmware
CVE-2023-35139

6.1MEDIUM

Key Information:

Vendor: Zyxel
Status: ATP series firmware; USG FLEX series firmware; USG FLEX 50(W) series firmware; USG20(W)-VPN series firmware
Vendor: CVE Published:; 28 November 2023

What is CVE-2023-35139?

A cross-site scripting vulnerability exists in the CGI program of Zyxel's ATP series and USG FLEX series firmware. This flaw affects multiple firmware versions, allowing unauthenticated LAN-based attackers to store malicious scripts on vulnerable devices. If exploited, these scripts may execute and lead to the theft of cookies when users access specific CGIs used for ZTP log dumping. This vulnerability poses a significant risk to affected products by enabling attackers to manipulate sessions and extract sensitive information.

Affected Version(s)

USG FLEX 50(W) series firmware versions 5.10 through 5.37

ATP series firmware versions 5.10 through 5.37

USG FLEX series firmware versions 5.00 through 5.37

References

https://www.zyxel.com/global/en/support/security-advisori...

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 28, 2023
Vulnerability Reserved
Jun 14, 2023