Description
A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.35 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.35 through 5.20, and VPN series firmware versions 4.35 through 5.20, that could allow an attacker to obtain some information stored in the user's browser, such as cookies or session tokens, via a malicious script.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml
Scores
CVSS v3
5.8
EPSS
0.0033
EPSS Percentile
55.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Details
CWE
CWE-79
Status
published
Products (32)
zyxel/atp100_firmware
4.35 - 5.20
zyxel/atp100w_firmware
4.35 - 5.20
zyxel/atp200_firmware
4.35 - 5.20
zyxel/atp500_firmware
4.35 - 5.20
zyxel/atp700_firmware
4.35 - 5.20
zyxel/atp800_firmware
4.35 - 5.20
zyxel/usg200_firmware
4.35 - 4.70
zyxel/usg20_firmware
4.35 - 4.70
zyxel/usg210_firmware
4.35 - 4.70
zyxel/usg2200_firmware
4.35 - 4.70
... and 22 more
Published
May 24, 2022
Tracked Since
Feb 18, 2026