CVE-2023-27990
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Zyxel | ATP series firmware | 4.32 through 5.35 | affected |
| Zyxel | USG FLEX series firmware | 4.50 through 5.35 | affected |
| Zyxel | USG FLEX 50(W) firmware | 4.16 through 5.35 | affected |
| Zyxel | USG20(W)-VPN firmware | 4.16 through 5.35 | affected |
| Zyxel | VPN series firmware | 4.30 through 5.35 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.