CVE-2023-27990

Name of the Vulnerable Software and Affected Versions Zyxel ATP series versions 4.32 through 5.35 Zyxel USG FLEX series versions 4.50 through 5.35 Zyxel USG FLEX 50(W) versions 4.16 through 5.35 Zyxel USG20(W)-VPN versions 4.16 through 5.35 Zyxel VPN series versions 4.30 through 5.35

Description The issue is related to a cross-site scripting (XSS) vulnerability that could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful attack could result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device. This is due to the lack of protection for the web page structure, which could enable a remote attacker to execute arbitrary scripts on the vulnerable device.

Recommendations For Zyxel ATP series versions 4.32 through 5.35, update to a version that includes a fix for this issue. For Zyxel USG FLEX series versions 4.50 through 5.35, update to a version that includes a fix for this issue. For Zyxel USG FLEX 50(W) versions 4.16 through 5.35, update to a version that includes a fix for this issue. For Zyxel USG20(W)-VPN versions 4.16 through 5.35, update to a version that includes a fix for this issue. For Zyxel VPN series versions 4.30 through 5.35, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the Logs page of the GUI on the device until a patch is available.