Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.1
CVSSv3

CVE-2019-9955

Published: 22/04/2019 Updated: 30/04/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8
VMScore: 435
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Subscribe to Zyxel

Vulnerability Summary

On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security firewall login page is vulnerable to Reflected XSS via the unsanitized 'mp_idx' parameter.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

zyxel atp200_firmware 4.31

zyxel atp500_firmware 4.31

zyxel atp800_firmware 4.31

zyxel usg20-vpn_firmware 4.31

zyxel usg20w-vpn_firmware 4.31

zyxel usg40_firmware 4.31

zyxel usg40w_firmware 4.31

zyxel usg60_firmware 4.31

zyxel usg60w_firmware 4.31

zyxel usg110_firmware 4.31

zyxel usg210_firmware 4.31

zyxel usg310_firmware 4.31

zyxel usg1100_firmware 4.31

zyxel usg1900_firmware 4.31

zyxel usg2200-vpn_firmware 4.31

zyxel zywall_110_firmware 4.31

zyxel zywall_310_firmware 4.31

zyxel zywall_1100_firmware 4.31

zyxel vpn50_firmware -

zyxel vpn100_firmware -

zyxel vpn300_firmware -

Exploits

Exploit DB: Zyxel ZyWall 310 / ZyWall 110 / USG1900 / ATP500 / USG40 - Login Page Cross-Site Scripting
# Exploit Title: Reflected XSS on Zyxel login pages # Date: 10 Apr 2019 # Exploit Author: Aaron Bishop # Vendor Homepage: wwwzyxelcom/us/en/ # Version: V431 # Tested on: ZyWall 310, ZyWall 110, USG1900, ATP500, USG40 - weblogincgi, webauth_relogincgi # CVE : 2019-9955 1 Description ============== Several Zyxel devices are vulnerable ...

Mailing Lists

Full Disclosure: CVE-2019-9955 Refelected XSS on Zyxel Login page
<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> CVE-2019-9955 Refelected XSS on Zyxel Login page <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: aaron bi ...

References

CWE-79https://www.zyxel.com/support/reflected-cross-site-scripting-vulnerability-of-firewalls.shtmlhttps://www.securitymetrics.com/blog/Zyxel-Devices-Vulnerable-Cross-Site-Scripting-Login-pagehttps://www.exploit-db.com/exploits/46706/http://seclists.org/fulldisclosure/2019/Apr/22http://packetstormsecurity.com/files/152525/Zyxel-ZyWall-Cross-Site-Scripting.htmlhttps://nvd.nist.govhttps://www.exploit-db.com/exploits/46706
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-49333CVE-2024-33901CVE-2024-36001CVE-2024-2835firewallXPath injectionauthentication bypassCVE-2024-22120CVE-2024-32002
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook