CVE-2021-20128

Name of the Vulnerable Software and Affected Versions Draytek VigorConnect version 1.6.0-B3

Description The issue is related to a stored XSS vulnerability in the Profile Name field of the floor plan page in the Network Menu. This vulnerability arises because user input is not properly sanitized, allowing an attacker to conduct a cross-site scripting attack. The exploitation of this vulnerability may enable a remote attacker to perform an inter-site scripting attack.

Recommendations For Draytek VigorConnect version 1.6.0-B3, consider disabling the Profile Name field in the floor plan page until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to the Network Menu page to minimize the risk of exploitation. Avoid using the Profile Name field until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.