First published: Tue Dec 06 2022(Updated: )
A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser.
Credit: security@zyxel.com.tw
Affected Software | Affected Version | How to fix |
---|---|---|
Zyxel Atp800 Firmware | >=4.32<=5.31 | |
Zyxel Atp800 | ||
Zyxel Atp700 Firmware | >=4.32<=5.31 | |
Zyxel Atp700 | ||
Zyxel Atp500 Firmware | >=4.32<=5.31 | |
Zyxel Atp500 | ||
Zyxel Atp200 Firmware | >=4.32<=5.31 | |
Zyxel ATP200 | ||
Zyxel Multiple Network-Attached Storage (NAS) Devices | >=4.32<=5.31 | |
Zyxel Multiple Network-Attached Storage (NAS) Devices | ||
Zyxel Atp100w Firmware | >=4.32<=5.31 | |
Zyxel Atp100w | ||
Zyxel Usg Flex 100w Firmware | >=4.50<=5.31 | |
Zyxel Usg Flex 100w | ||
Zyxel Usg Flex 200 Firmware | >=4.50<=5.31 | |
Zyxel Usg Flex 200 | ||
Zyxel Usg Flex 500 Firmware | >=4.50<=5.31 | |
Zyxel Usg Flex 500 | ||
Zyxel Usg Flex 700 Firmware | >=4.50<=5.31 | |
Zyxel Usg Flex 700 | ||
Zyxel Usg Flex 50w Firmware | >=4.50<=5.31 | |
Zyxel Usg Flex 50w | ||
Zyxel Multiple Network-Attached Storage (NAS) Devices | >=4.30<=5.31 | |
Zyxel Multiple Network-Attached Storage (NAS) Devices | ||
Zyxel Vpn300 Firmware | >=4.30<=5.31 | |
Zyxel Vpn300 | ||
Zyxel Vpn100 Firmware | >=4.30<=5.31 | |
Zyxel Vpn100 | ||
Zyxel Vpn50 Firmware | >=4.30<=5.31 | |
Zyxel Vpn50 | ||
Zyxel Usg40 Firmware | >=4.30<=4.72 | |
Zyxel Usg40 | ||
Zyxel Usg40w Firmware | >=4.30<=4.72 | |
Zyxel Usg40w | ||
Zyxel Usg60 Firmware | >=4.30<=4.72 | |
Zyxel Usg60 | ||
Zyxel Usg60w Firmware | >=4.30<=4.72 | |
Zyxel Usg60w |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-40603 is a cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware.
Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31 are affected.
CVE-2022-40603 has a severity level of 6.1 (medium).
Update the affected firmware versions to the latest ones provided by Zyxel.
You can find more information about CVE-2022-40603 on Zyxel's official security advisories page: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-xss-vulnerability-in-firewalls