CVE-2022-0734

Name of the Vulnerable Software and Affected Versions ZyXEL USG/ZyWALL series firmware versions 4.35 through 4.70 ZyXEL USG FLEX series firmware versions 4.50 through 5.20 ZyXEL ATP series firmware versions 4.35 through 5.20 ZyXEL VPN series firmware versions 4.35 through 5.20

Description A cross-site scripting issue in the CGI program of ZyXEL's network device software is related to the lack of protection for the web page structure. This could allow a remote attacker to obtain unauthorized access to protected information by executing a specially crafted script, potentially accessing information stored in the user's browser, such as cookies or session tokens.

Recommendations For ZyXEL USG/ZyWALL series firmware versions 4.35 through 4.70, update to a version outside of this range to mitigate the risk. For ZyXEL USG FLEX series firmware versions 4.50 through 5.20, update to a version outside of this range to mitigate the risk. For ZyXEL ATP series firmware versions 4.35 through 5.20, update to a version outside of this range to mitigate the risk. For ZyXEL VPN series firmware versions 4.35 through 5.20, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the CGI program until a patch is available.