CVE-2022-40603

Name of the Vulnerable Software and Affected Versions ZyXEL USG versions 4.30 through 4.72 ZyXEL ZyWALL versions 4.30 through 4.72 ZyXEL USG FLEX versions 4.50 through 5.31 ZyXEL VPN versions 4.30 through 5.31 ZyXEL ATP versions 4.32 through 5.31

Description A cross-site scripting (XSS) issue in the CGI program of ZyXEL devices is related to the lack of protection of the web page structure. This could allow a remote attacker to trick a user into visiting a crafted URL with the XSS payload, potentially gaining access to some browser-based information if the malicious script is executed on the victim’s browser.

Recommendations For ZyXEL USG versions 4.30 through 4.72, update to a version outside of this range to mitigate the risk. For ZyXEL ZyWALL versions 4.30 through 4.72, update to a version outside of this range to mitigate the risk. For ZyXEL USG FLEX versions 4.50 through 5.31, update to a version outside of this range to mitigate the risk. For ZyXEL VPN versions 4.30 through 5.31, update to a version outside of this range to mitigate the risk. For ZyXEL ATP versions 4.32 through 5.31, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the CGI program until a patch is available.