Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-0734

Summary
Assigner-Zyxel
Assigner Org ID-96e50032-ad0d-4058-a115-4d2c13821f9f
Published At-24 May, 2022 | 02:10
Updated At-02 Aug, 2024 | 23:40
Rejected At-
Credits

A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.35 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.35 through 5.20, and VPN series firmware versions 4.35 through 5.20, that could allow an attacker to obtain some information stored in the user's browser, such as cookies or session tokens, via a malicious script.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Zyxel
Assigner Org ID:96e50032-ad0d-4058-a115-4d2c13821f9f
Published At:24 May, 2022 | 02:10
Updated At:02 Aug, 2024 | 23:40
Rejected At:
â–¼CVE Numbering Authority (CNA)

A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.35 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.35 through 5.20, and VPN series firmware versions 4.35 through 5.20, that could allow an attacker to obtain some information stored in the user's browser, such as cookies or session tokens, via a malicious script.

Affected Products
Vendor
Zyxel Networks CorporationZyxel
Product
USG/ZyWALL series firmware
Versions
Affected
  • 4.35 through 4.70
Vendor
Zyxel Networks CorporationZyxel
Product
USG FLEX series firmware
Versions
Affected
  • 4.50 through 5.20
Vendor
Zyxel Networks CorporationZyxel
Product
ATP series firmware
Versions
Affected
  • 4.35 through 5.20
Vendor
Zyxel Networks CorporationZyxel
Product
VPN series firmware
Versions
Affected
  • 4.35 through 5.20
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.15.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Version: 3.1
Base score: 5.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml
x_refsource_CONFIRM
Hyperlink: https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml
Resource:
x_refsource_CONFIRM
â–¼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml
x_refsource_CONFIRM
x_transferred
Hyperlink: https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@zyxel.com.tw
Published At:24 May, 2022 | 03:15
Updated At:06 Jun, 2022 | 18:16

A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.35 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.35 through 5.20, and VPN series firmware versions 4.35 through 5.20, that could allow an attacker to obtain some information stored in the user's browser, such as cookies or session tokens, via a malicious script.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Secondary3.15.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 5.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CPE Matches
Zyxel Networks Corporation
zyxel
>>vpn100_firmware>>Versions from 4.35(inclusive) to 5.20(inclusive)
cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>vpn100>>-
cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>vpn1000_firmware>>Versions from 4.35(inclusive) to 5.20(inclusive)
cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>vpn1000>>-
cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>vpn300_firmware>>Versions from 4.35(inclusive) to 5.20(inclusive)
cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>vpn300>>-
cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>vpn50_firmware>>Versions from 4.35(inclusive) to 5.20(inclusive)
cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>vpn50>>-
cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>atp100_firmware>>Versions from 4.35(inclusive) to 5.20(inclusive)
cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>atp100>>-
cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>atp100w_firmware>>Versions from 4.35(inclusive) to 5.20(inclusive)
cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>atp100w>>-
cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>atp200_firmware>>Versions from 4.35(inclusive) to 5.20(inclusive)
cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>atp200>>-
cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>atp500_firmware>>Versions from 4.35(inclusive) to 5.20(inclusive)
cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>atp500>>-
cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>atp700_firmware>>Versions from 4.35(inclusive) to 5.20(inclusive)
cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>atp700>>-
cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>atp800_firmware>>Versions from 4.35(inclusive) to 5.20(inclusive)
cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>atp800>>-
cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_110_firmware>>Versions from 4.35(inclusive) to 4.70(inclusive)
cpe:2.3:o:zyxel:usg_110_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_110>>-
cpe:2.3:h:zyxel:usg_110:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_1100_firmware>>Versions from 4.35(inclusive) to 4.70(inclusive)
cpe:2.3:o:zyxel:usg_1100_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_1100>>-
cpe:2.3:h:zyxel:usg_1100:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_1900_firmware>>Versions from 4.35(inclusive) to 4.70(inclusive)
cpe:2.3:o:zyxel:usg_1900_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_1900>>-
cpe:2.3:h:zyxel:usg_1900:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_20w_firmware>>Versions from 4.35(inclusive) to 4.70(inclusive)
cpe:2.3:o:zyxel:usg_20w_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_20w>>-
cpe:2.3:h:zyxel:usg_20w:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_20w-vpn_firmware>>Versions from 4.35(inclusive) to 4.70(inclusive)
cpe:2.3:o:zyxel:usg_20w-vpn_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_20w-vpn>>-
cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_2200-vpn_firmware>>Versions from 4.35(inclusive) to 4.70(inclusive)
cpe:2.3:o:zyxel:usg_2200-vpn_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_2200-vpn>>-
cpe:2.3:h:zyxel:usg_2200-vpn:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_310_firmware>>Versions from 4.35(inclusive) to 4.70(inclusive)
cpe:2.3:o:zyxel:usg_310_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_310>>-
cpe:2.3:h:zyxel:usg_310:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_40_firmware>>Versions from 4.35(inclusive) to 4.70(inclusive)
cpe:2.3:o:zyxel:usg_40_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_40>>-
cpe:2.3:h:zyxel:usg_40:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_40w_firmware>>Versions from 4.35(inclusive) to 4.70(inclusive)
cpe:2.3:o:zyxel:usg_40w_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_40w>>-
cpe:2.3:h:zyxel:usg_40w:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_60_firmware>>Versions from 4.35(inclusive) to 4.70(inclusive)
cpe:2.3:o:zyxel:usg_60_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_60>>-
cpe:2.3:h:zyxel:usg_60:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_60w_firmware>>Versions from 4.35(inclusive) to 4.70(inclusive)
cpe:2.3:o:zyxel:usg_60w_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_60w>>-
cpe:2.3:h:zyxel:usg_60w:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_flex_100_firmware>>Versions from 4.50(inclusive) to 5.20(inclusive)
cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_flex_100>>-
cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_flex_100w_firmware>>Versions from 4.50(inclusive) to 5.20(inclusive)
cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_flex_100w>>-
cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_flex_200_firmware>>Versions from 4.50(inclusive) to 5.20(inclusive)
cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_flex_200>>-
cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_flex_500_firmware>>Versions from 4.50(inclusive) to 5.20(inclusive)
cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*
Zyxel Networks Corporation
zyxel
>>usg_flex_500>>-
cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE-79Secondarysecurity@zyxel.com.tw
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-79
Type: Secondary
Source: security@zyxel.com.tw
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtmlsecurity@zyxel.com.tw
Vendor Advisory
Hyperlink: https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml
Source: security@zyxel.com.tw
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

19018Records found
CVE-2022-45441
Matching Score-10
Assigner-Zyxel Corporation
ShareView Details
Matching Score-10
Assigner-Zyxel Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.35% / 27.07%
||
7 Day CHG~0.00%
Published-07 Feb, 2023 | 00:00
Updated-25 Mar, 2025 | 14:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.13)C0, which could allow an attacker to store malicious scripts in the Logs page of the GUI on a vulnerable device. A successful XSS attack could force an authenticated user to execute the stored malicious scripts and then result in a denial-of-service (DoS) condition when the user visits the Logs page of the GUI on the device.

Action-Not Available
Vendor-Zyxel Networks Corporation
Product-nbg-418n_firmwarenbg-418nNBG-418N v2 firmware
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-15602
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.80% / 51.85%
||
7 Day CHG~0.00%
Published-26 Aug, 2018 | 21:00
Updated-05 Aug, 2024 | 10:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zyxel VMG3312 B10B devices are affected by a persistent XSS vulnerability via the pages/connectionStatus/connectionStatus-hostEntry.cmd hostname parameter.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-vmg3312_b10b_firmwarevmg3312_b10bn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-42061
Matching Score-10
Assigner-Zyxel Corporation
ShareView Details
Matching Score-10
Assigner-Zyxel Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.29% / 20.96%
||
7 Day CHG~0.00%
Published-03 Sep, 2024 | 01:59
Updated-13 Dec, 2024 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in the CGI program "dynamic_script.cgi" of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.

Action-Not Available
Vendor-Zyxel Networks Corporation
Product-zldusg_20w-vpnatp100atp800usg_flex_200usg_flex_100atp100wusg_flex_50watp200atp500atp700usg_flex_100axusg_flex_700usg_flex_100wusg_flex_500usg_flex_50USG FLEX 50(W) series firmwareUSG20(W)-VPN series firmwareUSG FLEX series firmwareATP series firmware
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-46387
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-21.03% / 97.25%
||
7 Day CHG~0.00%
Published-01 Mar, 2022 | 14:04
Updated-04 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZyXEL ZyWALL 2 Plus Internet Security Appliance is affected by Cross Site Scripting (XSS). Insecure URI handling leads to bypass security restriction to achieve Cross Site Scripting, which allows an attacker able to execute arbitrary JavaScript codes to perform multiple attacks such as clipboard hijacking and session hijacking.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-zywall_2_plus_internet_security_appliance_firmwarezywall_2_plus_internet_security_appliancen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-9955
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-20.95% / 97.23%
||
7 Day CHG~0.00%
Published-22 Apr, 2019 | 19:38
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security firewall login page is vulnerable to Reflected XSS via the unsanitized 'mp_idx' parameter.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-usg60_firmwareusg110_firmwareusg40_firmwareusg60w_firmwareusg2200-vpn_firmwarevpn100atp800_firmwareusg20-vpn_firmwarezywall_110usg110usg1100usg1900_firmwareusg1100_firmwarevpn50_firmwareusg20-vpnusg40w_firmwareusg1900usg210_firmwareatp200zywall_1100usg20w-vpnvpn100_firmwarevpn300usg40wusg60watp500_firmwareusg40usg2200-vpnatp800zywall_310_firmwareusg60usg210usg310vpn50zywall_110_firmwarezywall_310atp500zywall_1100_firmwareusg20w-vpn_firmwarevpn300_firmwareusg310_firmwareatp200_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-12581
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-6.40% / 92.78%
||
7 Day CHG~0.00%
Published-27 Jun, 2019 | 14:10
Updated-04 Aug, 2024 | 23:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-usg110_firmwareusg2200-vpn_firmwareusg2200-vpnuag5100_firmwareusg110usg210usg310usg1100usg1900_firmwareuag4100usg1100_firmwareusg1900uag2100_firmwareusg210_firmwareuag5100uag2100uag4100_firmwareusg310_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-6017
Matching Score-10
Assigner-CERT/CC
ShareView Details
Matching Score-10
Assigner-CERT/CC
CVSS Score-6.1||MEDIUM
EPSS-2.14% / 79.65%
||
7 Day CHG~0.00%
Published-31 Dec, 2015 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Forms/rpAuth_1 on ZyXEL P-660HW-T1 2 devices with ZyNOS firmware 3.40(AXH.0) allow remote attackers to inject arbitrary web script or HTML via the (1) LoginPassword or (2) hiddenPassword parameter.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-p-660hw-t1_v2_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-35139
Matching Score-10
Assigner-Zyxel Corporation
ShareView Details
Matching Score-10
Assigner-Zyxel Corporation
CVSS Score-5.2||MEDIUM
EPSS-0.46% / 36.54%
||
7 Day CHG~0.00%
Published-28 Nov, 2023 | 01:22
Updated-02 Aug, 2024 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in the CGI program of the Zyxel ATP series firmware versions 5.10 through 5.37, USG FLEX series firmware versions 5.00 through 5.37, USG FLEX 50(W) series firmware versions 5.10 through 5.37, USG20(W)-VPN series firmware versions 5.10 through 5.37, and VPN series firmware versions 5.00 through 5.37, could allow an unauthenticated LAN-based attacker to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed to steal cookies when the user visits the specific CGI used for dumping ZTP logs.

Action-Not Available
Vendor-Zyxel Networks Corporation
Product-zldvpn100usg_20w-vpnatp100atp800usg_flex_200vpn50usg_flex_100atp100wusg_flex_50watp200atp700atp500usg_flex_700vpn1000vpn50wvpn300usg_flex_100wusg_flex_500usg_flex_50ATP series firmwareVPN series firmwareUSG FLEX series firmware USG FLEX 50(W) series firmwareUSG20(W)-VPN series firmware
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-7277
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.20% / 64.20%
||
7 Day CHG~0.00%
Published-04 Oct, 2014 | 10:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the login page on the ZyXEL SBG-3300 Security Gateway with firmware 1.00(AADY.4)C0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified "welcome message" form data that is improperly handled during rendering of the loginMessage list item, a different vulnerability than CVE-2014-7278.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-sbg3300-n_firmwaresbg3300-nn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-15339
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.71% / 48.85%
||
7 Day CHG~0.00%
Published-26 Jun, 2020 | 14:58
Updated-04 Aug, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows live/CPEManager/AXCampaignManager/handle_campaign_script_link?script_name= XSS.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-cloudcnm_secumanagern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-6786
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-2.17% / 79.94%
||
7 Day CHG~0.00%
Published-16 Jan, 2014 | 19:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the "forbidden author header" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page. NOTE: there is no CVE for a "URL redirection" issue that some sources list separately.

Action-Not Available
Vendor-sitecomallegrosoftn/aHuawei Technologies Co., Ltd.D-Link CorporationTP-Link Systems Inc.Zyxel Networks Corporation
Product-dsl-2640rwl-174dsl-2641rmt882rompagerp-660hw_d1td-8816n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-40603
Matching Score-10
Assigner-Zyxel Corporation
ShareView Details
Matching Score-10
Assigner-Zyxel Corporation
CVSS Score-4.7||MEDIUM
EPSS-0.36% / 27.64%
||
7 Day CHG~0.00%
Published-06 Dec, 2022 | 00:00
Updated-23 Apr, 2025 | 20:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser.

Action-Not Available
Vendor-Zyxel Networks Corporation
Product-usg60_firmwarevpn100atp100_firmwareusg40_firmwareusg60w_firmwareatp100atp800_firmwareusg_flex_200usg_flex_500_firmwareusg_flex_100w_firmwareatp100watp100w_firmwarevpn300_firmwareusg_flex_200_firmwarevpn50_firmwareusg40w_firmwareatp200atp700usg_flex_700vpn100_firmwarevpn300usg40wusg_flex_100wusg60wusg_flex_50w_firmwareatp700_firmwareatp500_firmwareusg40atp800vpn1000_firmwarevpn50usg60usg_flex_50watp500usg_flex_700_firmwarevpn1000usg_flex_500atp200_firmwareVPN series firmwareUSG FLEX series firmwareZyWALL/USG series firmwareATP series firmware
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-2167
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-16.78% / 96.63%
||
7 Day CHG~0.00%
Published-13 May, 2008 | 20:14
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in ZyXEL ZyWALL 100 allows remote attackers to inject arbitrary web script or HTML via the Referer header, which is not properly handled in a 404 Error page.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-zywall_100n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-1257
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.64% / 73.27%
||
7 Day CHG~0.00%
Published-10 Mar, 2008 | 17:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Forms/DiagGeneral_2 on the ZyXEL P-660HW series router allows remote attackers to inject arbitrary web script or HTML via the PingIPAddr parameter.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-p-660hwp-660hw_d3p-660hw_d1p-660hw_t3n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2007-6729
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.06% / 60.20%
||
7 Day CHG~0.00%
Published-10 Sep, 2009 | 10:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the web management interface in the ZyXEL P-330W router allows remote attackers to inject arbitrary web script or HTML via the pingstr parameter and other unspecified vectors.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-p-330w_routern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2004-1789
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-11.24% / 95.40%
||
7 Day CHG~0.00%
Published-10 May, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the web management interface in ZyWALL 10 4.07 allows remote attackers to inject arbitrary web script or HTML via the rpAuth_1 page.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-zywall10n/a
CVE-2006-3929
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-3.19% / 86.42%
||
7 Day CHG~0.00%
Published-31 Jul, 2006 | 21:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Forms/rpSysAdmin script on the Zyxel Prestige 660H-61 ADSL Router running firmware 3.40(PT.0)b32 allows remote attackers to inject arbitrary web script or HTML via hex-encoded values in the a parameter.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-prestige_660h-61n/a
CVE-2007-4317
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.33% / 67.42%
||
7 Day CHG~0.00%
Published-13 Aug, 2007 | 21:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site request forgery (CSRF) vulnerabilities in the management interface in ZyNOS firmware 3.62(WK.6) on the Zyxel Zywall 2 device allow remote attackers to perform certain actions as administrators, as demonstrated by a request to Forms/General_1 with the (1) sysSystemName and (2) sysDomainName parameters.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-zywall_2zynosn/a
CVE-2007-4316
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.22% / 64.64%
||
7 Day CHG~0.00%
Published-13 Aug, 2007 | 21:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The management interface in ZyNOS firmware 3.62(WK.6) on the Zyxel Zywall 2 device has a certain default password, which allows remote attackers to perform administrative actions.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-zywall_2zynosn/a
CVE-2018-9129
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.97% / 57.09%
||
7 Day CHG~0.00%
Published-15 Aug, 2018 | 18:00
Updated-05 Aug, 2024 | 07:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZyXEL ZyWALL/USG series devices have a Bleichenbacher vulnerability in their Internet Key Exchange (IKE) handshake implementation used for IPsec based VPN connections.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-usg_60w_firmwarezywall_vpn_300usg_310zywall_vpn_50_firmwareusg_310_firmwareusg_1100zywall_110zywall_vpn_50usg_1900usg_2200-vpn_firmwareusg_40_firmwareusg_2200-vpnzywall_1100usg_20w_firmwareusg_60_firmwareusg_20wusg_110_firmwareusg_40wusg_60usg_20w-vpnusg_20w-vpn_firmwarezywall_310_firmwareusg_60wusg_40w_firmwarezywall_110_firmwarezywall_vpn_300_firmwarezywall_310usg_110usg_1900_firmwarezywall_vpn_100zywall_1100_firmwareusg_1100_firmwareusg_40zywall_vpn_100_firmwaren/a
CVE-2008-1260
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.52% / 40.29%
||
7 Day CHG~0.00%
Published-10 Mar, 2008 | 17:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site request forgery (CSRF) vulnerabilities on the Zyxel P-2602HW-D1A router with 3.40(AJZ.1) firmware allow remote attackers to (1) make the admin web server available on the Internet (WAN) interface via the WWWAccessInterface parameter to Forms/RemMagWWW_1 or (2) change the IP whitelisting timeout via the StdioTimout parameter to Forms/rpSysAdmin_1.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-p-2602hw-d1an/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2011-0746
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.54% / 41.08%
||
7 Day CHG~0.00%
Published-13 Apr, 2011 | 14:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Forms/PortForwarding_Edit_1 on the ZyXEL O2 DSL Router Classic allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the PortRule_Name parameter.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-o2_dsl_router_classicn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2007-4318
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-2.31% / 81.11%
||
7 Day CHG~0.00%
Published-13 Aug, 2007 | 21:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Forms/General_1 in the management interface in ZyNOS firmware 3.62(WK.6) on the Zyxel Zywall 2 device allows remote authenticated administrators to inject arbitrary web script or HTML via the sysSystemName parameter.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-zywall_2zynosn/a
CVE-2021-35030
Matching Score-6
Assigner-Zyxel Corporation
ShareView Details
Matching Score-6
Assigner-Zyxel Corporation
CVSS Score-3.5||LOW
EPSS-0.27% / 18.19%
||
7 Day CHG~0.00%
Published-26 Jul, 2021 | 11:20
Updated-17 Sep, 2024 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was found in the CGI program in Zyxel GS1900-8 firmware version V2.60, that did not properly sterilize packet contents and could allow an authenticated, local user to perform a cross-site scripting (XSS) attack via a crafted LLDP packet.

Action-Not Available
Vendor-Zyxel Networks Corporation
Product-gs1900-24hpv2_firmwaregs1900-10hpgs1900-24_firmwaregs1900-24e_firmwaregs1900-8gs1900-48hpgs1900-8hp_firmwaregs1900-48_firmwaregs1900-48hpv2_firmwaregs1900-48hpv2gs1900-24epgs1900-24ep_firmwaregs1900-24gs1900-8hpgs1900-24egs1900-24hpv2gs1900-8_firmwaregs1900-48gs1900-48hp_firmwaregs1900-16_firmwaregs1900-10hp_firmwaregs1900-16gs1900-24hp_firmwaregs1900-24hpGS1900-8 Firmware
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-13495
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.62% / 45.02%
||
7 Day CHG~0.00%
Published-31 Mar, 2020 | 17:04
Updated-04 Aug, 2024 | 23:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-xgs2210-52hpxgs2210-52hp_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-10634
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.84% / 53.00%
||
7 Day CHG~0.00%
Published-09 Apr, 2019 | 05:00
Updated-04 Aug, 2024 | 22:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XSS vulnerability in the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to inject arbitrary JavaScript or HTML via the user, group, and file-share description fields.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-nas326nas326_firmwaren/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-22921
Matching Score-6
Assigner-Zyxel Corporation
ShareView Details
Matching Score-6
Assigner-Zyxel Corporation
CVSS Score-7.5||HIGH
EPSS-0.50% / 38.95%
||
7 Day CHG~0.00%
Published-01 May, 2023 | 00:00
Updated-30 Jan, 2025 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in the Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.14)C0 could allow a remote authenticated attacker with administrator privileges to store malicious scripts using a web management interface parameter, resulting in denial-of-service (DoS) conditions on an affected device.

Action-Not Available
Vendor-Zyxel Networks Corporation
Product-nbg-418n_firmwarenbg-418nNBG-418N v2 firmware
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-27990
Matching Score-6
Assigner-Zyxel Corporation
ShareView Details
Matching Score-6
Assigner-Zyxel Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.34% / 26.12%
||
7 Day CHG~0.00%
Published-24 Apr, 2023 | 00:00
Updated-25 Feb, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device.

Action-Not Available
Vendor-Zyxel Networks Corporation
Product-usg_flex_50wvpn100usg_flex_100w_firmwareusg20-vpnatp700_firmwareatp100w_firmwareusg_20w-vpn_firmwareatp800vpn300_firmwarevpn50atp200vpn1000_firmwareusg_flex_500vpn50_firmwareusg_flex_50w_firmwareusg_flex_100_firmwareusg_flex_200_firmwareatp100watp800_firmwareusg_flex_50atp500_firmwareusg_flex_700_firmwareatp500atp100usg_flex_200atp700usg_flex_100usg_flex_100wvpn1000atp100_firmwarevpn100_firmwarevpn300usg_flex_500_firmwareusg_flex_700usg_20w-vpnusg_flex_50_firmwareatp200_firmwareusg20-vpn_firmwareATP series firmwareVPN series firmwareUSG FLEX series firmwareUSG FLEX 50(W) firmwareUSG20(W)-VPN firmware
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-24878
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.33% / 25.06%
||
7 Day CHG~0.00%
Published-08 Feb, 2024 | 12:58
Updated-11 May, 2026 | 20:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Portugal CTT Tracking for WooCommerce plugin <= 2.1 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marco Almeida | Webdados Portugal CTT Tracking for WooCommerce portugal-ctt-tracking-woocommerce.This issue affects Portugal CTT Tracking for WooCommerce: from n/a through <= 2.1.

Action-Not Available
Vendor-webdadosMarco Almeida | Webdados
Product-portugal_ctt_tracking_for_woocommercePortugal CTT Tracking for WooCommerce
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-35976
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.11% / 61.70%
||
7 Day CHG~0.00%
Published-10 Sep, 2021 | 11:08
Updated-04 Aug, 2024 | 00:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victim's browser by using the link to preview sites hosted on the server. Authentication is not required to exploit the vulnerability.

Action-Not Available
Vendor-n/aPlesk (WebPros International GmbH)
Product-obsidiann/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-4374
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-6.1||MEDIUM
EPSS-2.17% / 79.95%
||
7 Day CHG~0.00%
Published-03 Apr, 2019 | 17:43
Updated-05 Aug, 2024 | 05:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A logic issue was addressed with improved validation. This issue affected versions prior to iOS 12.1, watchOS 5.1, Safari 12.0.1, iTunes 12.9.1, iCloud for Windows 7.8.

Action-Not Available
Vendor-n/aApple Inc.Microsoft Corporation
Product-itunesiphone_oswatchossafariwindowsicloudiOS, watchOS, Safari, iTunes for Windows, iCloud for Windows
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-22639
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.41% / 32.69%
||
7 Day CHG~0.00%
Published-25 Jan, 2024 | 00:00
Updated-29 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

iGalerie v3.0.22 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Titre (Title) field in the editing interface.

Action-Not Available
Vendor-igalerien/a
Product-igalerien/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-5550
Matching Score-4
Assigner-Rapid7, Inc.
ShareView Details
Matching Score-4
Assigner-Rapid7, Inc.
CVSS Score-6.1||MEDIUM
EPSS-37.46% / 98.33%
||
7 Day CHG-0.48%
Published-08 Feb, 2018 | 19:00
Updated-05 Aug, 2024 | 05:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of Epson AirPrint released prior to January 19, 2018 contain a reflective cross-site scripting (XSS) vulnerability, which can allow untrusted users on the network to hijack a session cookie or perform other reflected XSS attacks on a currently logged-on user.

Action-Not Available
Vendor-epsonEpson
Product-airprintEpson AirPrint
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-11556
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.97% / 57.46%
||
7 Day CHG+0.01%
Published-25 Sep, 2020 | 05:56
Updated-04 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pagure before 5.6 allows XSS via the templates/blame.html blame view.

Action-Not Available
Vendor-n/aRed Hat, Inc.openSUSE
Product-pagurebackports_sleleapn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-4931
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-6.1||MEDIUM
EPSS-1.88% / 76.78%
||
7 Day CHG~0.00%
Published-19 May, 2018 | 17:00
Updated-05 Aug, 2024 | 05:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Adobe Experience Manager versions 6.1 and earlier have an exploitable stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.

Action-Not Available
Vendor-n/aAdobe Inc.
Product-experience_managerAdobe Experience Manager AEM 6.1 and earlier
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4877
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-0.53% / 40.88%
||
7 Day CHG~0.00%
Published-05 Jan, 2023 | 09:14
Updated-03 Aug, 2024 | 01:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
snoyberg keter Proxy.hs cross site scripting

A vulnerability has been found in snoyberg keter up to 1.8.1 and classified as problematic. This vulnerability affects unknown code of the file Keter/Proxy.hs. The manipulation of the argument host leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.8.2 is able to address this issue. The name of the patch is d41f3697926b231782a3ad8050f5af1ce5cc40b7. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217444.

Action-Not Available
Vendor-keter_projectsnoyberg
Product-keterketer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-4345
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-6.1||MEDIUM
EPSS-1.47% / 70.40%
||
7 Day CHG~0.00%
Published-03 Apr, 2019 | 17:43
Updated-05 Aug, 2024 | 05:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation. This issue affected versions prior to iOS 12, tvOS 12, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7.

Action-Not Available
Vendor-n/aApple Inc.Microsoft Corporation
Product-itunesiphone_ostvossafariwindowsicloudiOS, tvOS, Safari, iTunes for Windows, iCloud for Windows
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-5293
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.26% / 65.92%
||
7 Day CHG-0.02%
Published-08 Jan, 2018 | 07:00
Updated-05 Aug, 2024 | 05:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin/admin.php panel parameter for the gd-rating-system-tools page.

Action-Not Available
Vendor-gd_rating_system_projectn/a
Product-gd_rating_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-5655
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.80% / 51.63%
||
7 Day CHG~0.00%
Published-13 Jan, 2018 | 00:00
Updated-16 Sep, 2024 | 17:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php security parameter.

Action-Not Available
Vendor-weblizarn/a
Product-pinterest-feedsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-5798
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.65% / 46.47%
||
7 Day CHG~0.00%
Published-07 Jun, 2019 | 14:57
Updated-05 Aug, 2024 | 05:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This CVE relates to an unspecified cross site scripting vulnerability in Cloudera Manager.

Action-Not Available
Vendor-clouderan/a
Product-cloudera_managern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-5306
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.12% / 61.83%
||
7 Day CHG-0.02%
Published-09 Feb, 2018 | 22:00
Updated-05 Aug, 2024 | 05:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 3.x before 3.8 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or (2) format parameter to service/siesta/healthcheck/healthCheckFileDetail/.../index.html; (3) the filename in the "File Upload" functionality of the Staging Upload; (4) the username when creating a new user; or (5) the IQ Server URL field in the IQ Server Connection functionality.

Action-Not Available
Vendor-n/aSonatype, Inc.
Product-nexus_repository_managern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2006-6733
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.45% / 69.94%
||
7 Day CHG~0.00%
Published-26 Dec, 2006 | 23:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in support/view.php in Support Cards 1 (osTicket) allows remote attackers to inject arbitrary web script or HTML via the e parameter.

Action-Not Available
Vendor-osticketn/a
Product-osticket_stsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-5375
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.83% / 52.74%
||
7 Day CHG-0.02%
Published-12 Jan, 2018 | 09:00
Updated-17 Sep, 2024 | 01:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Discuz! DiscuzX X3.4 has XSS via the include\spacecp\spacecp_space.php appid parameter in a delete action.

Action-Not Available
Vendor-discuzn/a
Product-discuzxn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-4940
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-6.1||MEDIUM
EPSS-1.79% / 75.52%
||
7 Day CHG~0.00%
Published-19 May, 2018 | 17:00
Updated-05 Aug, 2024 | 05:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Cross-Site Scripting vulnerability. Successful exploitation could lead to information disclosure.

Action-Not Available
Vendor-n/aAdobe Inc.
Product-coldfusionAdobe ColdFusion ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-5288
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.43% / 69.61%
||
7 Day CHG-0.03%
Published-08 Jan, 2018 | 07:00
Updated-05 Aug, 2024 | 05:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin/admin.php panel parameter for the gd-rating-system-transfer page.

Action-Not Available
Vendor-gd_rating_system_projectn/a
Product-gd_rating_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-5688
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-3.34% / 87.08%
||
7 Day CHG~0.00%
Published-14 Jan, 2018 | 20:00
Updated-05 Aug, 2024 | 05:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component.

Action-Not Available
Vendor-iliasn/a
Product-iliasn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-5705
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.49% / 70.75%
||
7 Day CHG~0.00%
Published-24 Jan, 2018 | 17:00
Updated-05 Aug, 2024 | 05:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reservo Image Hosting 1.6 is vulnerable to XSS attacks. The affected function is its search engine (the t parameter to the /search URI). Since there is an user/admin login interface, it's possible for attackers to steal sessions of users and thus admin(s). By sending users an infected URL, code will be executed.

Action-Not Available
Vendor-reservon/a
Product-image_hostingn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4924
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.46% / 36.15%
||
7 Day CHG~0.00%
Published-12 Jun, 2024 | 06:00
Updated-30 May, 2025 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sassy social share < 3.3.63 Admin+ Stored Cross-Site scripting

The Social Sharing Plugin WordPress plugin before 3.3.63 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Action-Not Available
Vendor-UnknownHeateor
Product-sassy_social_shareSocial Sharing Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-11427
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.83% / 52.66%
||
7 Day CHG~0.00%
Published-21 Apr, 2019 | 21:35
Updated-04 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XSS issue was discovered in app/search/search.app.php in idreamsoft iCMS 7.0.14 via the public/api.php?app=search q parameter.

Action-Not Available
Vendor-idreamsoftn/a
Product-icmsn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-5692
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.70% / 48.16%
||
7 Day CHG~0.00%
Published-14 Jan, 2018 | 04:00
Updated-05 Aug, 2024 | 05:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file.

Action-Not Available
Vendor-n/aPiwigo
Product-piwigon/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 380
  • 381
  • Next
Details not found