CVE-2024-42061

Name of the Vulnerable Software and Affected Versions Zyxel ATP series firmware versions from V4.32 through V5.38 Zyxel USG FLEX series firmware versions from V4.50 through V5.38 Zyxel USG FLEX 50(W) series firmware versions from V4.16 through V5.38 Zyxel USG20(W)-VPN series firmware versions from V4.16 through V5.38

Description A reflected cross-site scripting (XSS) vulnerability in the CGI program "dynamic script.cgi" could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser. This issue is related to insufficient protection of the web page structure, which may allow a remote attacker to conduct an XSS attack.

Recommendations For Zyxel ATP series firmware versions from V4.32 through V5.38, update to a version that contains a fix for this issue. For Zyxel USG FLEX series firmware versions from V4.50 through V5.38, update to a version that contains a fix for this issue. For Zyxel USG FLEX 50(W) series firmware versions from V4.16 through V5.38, update to a version that contains a fix for this issue. For Zyxel USG20(W)-VPN series firmware versions from V4.16 through V5.38, update to a version that contains a fix for this issue. As a temporary workaround, consider disabling the "dynamic script.cgi" CGI program until a patch is available.