CVE-2022-40603

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Dec 6, 2022 / Updated: 23mo ago

010
CVSS 6.1EPSS 0.05%Medium
CVE info copied to clipboard

A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2022-40603. See article

Dec 6, 2022 at 1:34 AM / twitter.com
EPSS

EPSS Score was set to: 0.05% (Percentile: 14.2%)

Sep 23, 2023 at 9:18 PM
Static CVE Timeline Graph

Affected Systems

Zyxel/vpn50_firmware
+null more

Patches

www.zyxel.com
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

Security Vulnerabilities (Cross Site Scripting (XSS)) - CVE Details
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3 allows a privileged attacker to execute unauthorized code or commands via storing malicious payloads in replacement messages. Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CPO Shortcodes plugin <= 1.5.0 at WordPress.
CVE-2022-40603 (atp100_firmware, atp100w_firmware, atp200_firmware, atp500_firmware, atp700_firmware, atp800_firmware, usg_flex_100w_firmware, usg_flex_200_firmware, usg_flex_500_firmware, usg_flex_50w_firmware, usg_flex_700_firmware, usg40_firmware, usg40w_firmware, usg60_firmware, usg60w_firmware,....
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-xss-vulnerability-in-firewalls No Types Assigned https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-xss-vulnerability-in-firewalls Vendor Advisory
Security News – Week 49
A critical security vulnerability has been identified in the ping module of the open-source FreeBSD operating system that threat actors could potentially exploit to gain remote code execution. LastPass, a popular password management service, suffered a data breach that resulted in threat actors gaining unauthorized access to a certain number of customer information.
CVE-2022-40603
A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser. (CVSS:0.0) (Last Update:2022-12-06)
CVE-2022-40603
A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Gained Access None Vulnerability Type(s) Cross Site Scripting CWE ID CWE id is not defined for this vulnerability
See 11 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI