Vulnerability Details CVE-2019-12581
A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.629
EPSS Ranking 98.2%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/
- https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html
- https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml
- https://www.zyxel.com/us/en/
- https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/
- https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html
- https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml
- https://www.zyxel.com/us/en/
Products affected by CVE-2019-12581
-
cpe:2.3:h:zyxel:uag2100:-
-
cpe:2.3:h:zyxel:uag4100:-
-
cpe:2.3:h:zyxel:uag5100:-
-
cpe:2.3:h:zyxel:usg1100:-
-
cpe:2.3:h:zyxel:usg110:-
-
cpe:2.3:h:zyxel:usg1900:-
-
cpe:2.3:h:zyxel:usg210:-
-
cpe:2.3:h:zyxel:usg2200-vpn:-
-
cpe:2.3:h:zyxel:usg310:-
-
cpe:2.3:o:zyxel:uag2100_firmware:4.18(aaiz.1)c0
-
cpe:2.3:o:zyxel:uag4100_firmware:4.18(aatd.1)c0
-
cpe:2.3:o:zyxel:uag5100_firmware:4.18(aapn.1)c0
-
cpe:2.3:o:zyxel:usg1100_firmware:4.30
-
cpe:2.3:o:zyxel:usg110_firmware:-
-
cpe:2.3:o:zyxel:usg110_firmware:4.30
-
cpe:2.3:o:zyxel:usg1900_firmware:4.30
-
cpe:2.3:o:zyxel:usg210_firmware:4.30
-
cpe:2.3:o:zyxel:usg2200-vpn_firmware:4.25
-
cpe:2.3:o:zyxel:usg2200-vpn_firmware:4.30
-
cpe:2.3:o:zyxel:usg310_firmware:4.30