Reflected Cross-Site Scripting Vulnerability in Zyxel ATP Series, USG FLEX Series, USG FLEX 50(W) Series, and USG20(W)-VPN Series Firmware
CVE-2024-42061

6.1MEDIUM

Key Information:

Vendor: Zyxel
Status: Atp Series Firmware; Usg Flex Series Firmware; Usg Flex 50(w) Series Firmware; Usg20(w)-vpn Series Firmware
Vendor: CVE Published:; 3 September 2024

Summary

A reflected cross-site scripting (XSS) vulnerability in the CGI program "dynamic_script.cgi" of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.

Affected Version(s)

ATP series firmware versions V4.32 through V5.38

USG FLEX 50(W) series firmware versions V4.16 through V5.38

USG FLEX series firmware versions V4.50 through V5.38

References

https://www.zyxel.com/global/en/support/security-advisori...

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 3, 2024
Vulnerability Reserved
Jul 29, 2024