Vulnerability Details : CVE-2022-40603
A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-40603
- cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:usg40_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:usg40w_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:usg60_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:usg60w_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-40603
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 32 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-40603
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
4.7
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N |
2.8
|
1.4
|
Zyxel Corporation |
CWE ids for CVE-2022-40603
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- security@zyxel.com.tw (Secondary)
References for CVE-2022-40603
-
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-xss-vulnerability-in-firewalls
Zyxel security advisory for XSS vulnerability in firewalls | Zyxel NetworksVendor Advisory
Jump to