Sign-up

ID

VAR-202212-1097


CVE

CVE-2022-40603


TITLE

plural  ZyXEL  Cross-site scripting vulnerability in the product

Trust: 0.8

sources: JVNDB: JVNDB-2022-022564

DESCRIPTION

A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser. ATP800 firmware, ATP700 firmware, ATP500 firmware etc. ZyXEL A cross-site scripting vulnerability exists in the product.Information may be obtained and information may be tampered with

Trust: 1.62

sources: NVD: CVE-2022-40603 // JVNDB: JVNDB-2022-022564

AFFECTED PRODUCTS

vendor:zyxelmodel:usg flex 700scope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:usg60scope:gteversion:4.30

Trust: 1.0

vendor:zyxelmodel:usg flex 50wscope:gteversion:4.50

Trust: 1.0

vendor:zyxelmodel:vpn50scope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:atp800scope:gteversion:4.32

Trust: 1.0

vendor:zyxelmodel:usg flex 200scope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:usg40scope:lteversion:4.72

Trust: 1.0

vendor:zyxelmodel:vpn300scope:gteversion:4.30

Trust: 1.0

vendor:zyxelmodel:usg60wscope:gteversion:4.30

Trust: 1.0

vendor:zyxelmodel:usg flex 100wscope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:atp800scope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:usg flex 500scope:gteversion:4.50

Trust: 1.0

vendor:zyxelmodel:usg flex 50wscope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:usg40wscope:lteversion:4.72

Trust: 1.0

vendor:zyxelmodel:usg40scope:gteversion:4.30

Trust: 1.0

vendor:zyxelmodel:atp700scope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:atp700scope:gteversion:4.32

Trust: 1.0

vendor:zyxelmodel:vpn100scope:gteversion:4.30

Trust: 1.0

vendor:zyxelmodel:atp100scope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:atp500scope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:atp500scope:gteversion:4.32

Trust: 1.0

vendor:zyxelmodel:usg40wscope:gteversion:4.30

Trust: 1.0

vendor:zyxelmodel:vpn1000scope:gteversion:4.30

Trust: 1.0

vendor:zyxelmodel:vpn50scope:gteversion:4.30

Trust: 1.0

vendor:zyxelmodel:usg flex 500scope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:atp100scope:gteversion:4.32

Trust: 1.0

vendor:zyxelmodel:vpn300scope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:atp100wscope:gteversion:4.32

Trust: 1.0

vendor:zyxelmodel:atp100wscope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:usg60scope:lteversion:4.72

Trust: 1.0

vendor:zyxelmodel:atp200scope:gteversion:4.32

Trust: 1.0

vendor:zyxelmodel:atp200scope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:vpn100scope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:usg flex 700scope:gteversion:4.50

Trust: 1.0

vendor:zyxelmodel:usg flex 200scope:gteversion:4.50

Trust: 1.0

vendor:zyxelmodel:vpn1000scope:lteversion:5.31

Trust: 1.0

vendor:zyxelmodel:usg60wscope:lteversion:4.72

Trust: 1.0

vendor:zyxelmodel:usg flex 100wscope:gteversion:4.50

Trust: 1.0

vendor:zyxelmodel:vpn1000scope: - version: -

Trust: 0.8

vendor:zyxelmodel:vpn300scope: - version: -

Trust: 0.8

vendor:zyxelmodel:usg flex 100wscope: - version: -

Trust: 0.8

vendor:zyxelmodel:usg60wscope: - version: -

Trust: 0.8

vendor:zyxelmodel:usg flex 500scope: - version: -

Trust: 0.8

vendor:zyxelmodel:vpn100scope: - version: -

Trust: 0.8

vendor:zyxelmodel:usg40wscope: - version: -

Trust: 0.8

vendor:zyxelmodel:usg flex 700scope: - version: -

Trust: 0.8

vendor:zyxelmodel:atp500scope: - version: -

Trust: 0.8

vendor:zyxelmodel:atp100wscope: - version: -

Trust: 0.8

vendor:zyxelmodel:usg flex 50wscope: - version: -

Trust: 0.8

vendor:zyxelmodel:atp800scope: - version: -

Trust: 0.8

vendor:zyxelmodel:usg flex 200scope: - version: -

Trust: 0.8

vendor:zyxelmodel:atp200scope: - version: -

Trust: 0.8

vendor:zyxelmodel:atp100scope: - version: -

Trust: 0.8

vendor:zyxelmodel:usg40scope: - version: -

Trust: 0.8

vendor:zyxelmodel:atp700scope: - version: -

Trust: 0.8

vendor:zyxelmodel:vpn50scope: - version: -

Trust: 0.8

vendor:zyxelmodel:usg60scope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-022564 // NVD: CVE-2022-40603

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-40603
value: MEDIUM

Trust: 1.8

security@zyxel.com.tw: CVE-2022-40603
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202212-2533
value: MEDIUM

Trust: 0.6

NVD:
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

security@zyxel.com.tw:
baseSeverity: MEDIUM
baseScore: 4.7
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: CVE-2022-40603
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-022564 // NVD: CVE-2022-40603 // NVD: CVE-2022-40603 // CNNVD: CNNVD-202212-2533

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-022564 // NVD: CVE-2022-40603

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202212-2533

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202212-2533

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2022-40603

PATCH
title:Zyxel USG/ZyWALL Fixes for cross-site scripting vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqbyid.tag?id=216748
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202212-2533

EXTERNAL IDS
db:NVDid:CVE-2022-40603
Trust: 3.2
db:JVNDBid:JVNDB-2022-022564
Trust: 0.8
db:CNNVDid:CNNVD-202212-2533
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2022-022564 // 
            
            
            
            NVD: CVE-2022-40603 // 
            
            
            
            CNNVD: CNNVD-202212-2533

REFERENCES
url:https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-xss-vulnerability-in-firewalls
Trust: 2.4
url:https://nvd.nist.gov/vuln/detail/cve-2022-40603
Trust: 1.4
url:https://cxsecurity.com/cveshow/cve-2022-40603/
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2022-022564 // 
            
            
            
            NVD: CVE-2022-40603 // 
            
            
            
            CNNVD: CNNVD-202212-2533

SOURCES
db:JVNDBid:JVNDB-2022-022564
db:NVDid:CVE-2022-40603
db:CNNVDid:CNNVD-202212-2533

LAST UPDATE DATE
2023-12-18T11:55:17.875000+00:00

SOURCES UPDATE DATE
db:JVNDBid:JVNDB-2022-022564date:2023-11-17T08:21:00
db:NVDid:CVE-2022-40603date:2022-12-08T16:41:37.513
db:CNNVDid:CNNVD-202212-2533date:2022-12-09T00:00:00

SOURCES RELEASE DATE
db:JVNDBid:JVNDB-2022-022564date:2023-11-17T00:00:00
db:NVDid:CVE-2022-40603date:2022-12-06T02:15:09.730
db:CNNVDid:CNNVD-202212-2533date:2022-12-06T00:00:00