Zyxel security advisory for reflected cross-site scripting vulnerability of firewalls
CVE : CVE-2019-9955
Zyxel security firewalls are vulnerable to a reflected cross-site scripting vulnerability. Users are advised to install the applicable hotfixes for optimal protection.
What's the vulnerability?
The reflected cross-site scripting vulnerability was identified on the Zyxel security firewall login pages, which contained an unsanitized 'mp_idx' parameter.
What should you do?
After a thorough investigation, we’ve identified the vulnerable products and listed them in the table below. Hotfixes for the affected models are now available, and we will include patches in the models’ next regular firmware release. We urge users to install them for optimal protection.
|Device impacted||Hotfix availability|
Got a question or a tipoff?
Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact firstname.lastname@example.org and we’ll get right back to you.
Thanks to Aaron Bishop at Security Metrics for reporting this vulnerability to us.
2019-4-18: Initial release
2019-4-25: Added VPN50/100/300 to the list of impacted devices