Zyxel security advisory for XSS vulnerability in firewalls
Zyxel has released patches for some firewalls affected by a reflected cross-site scripting (XSS) vulnerability. Users are advised to install them for optimal protection.
What is the vulnerability?
A reflected XSS vulnerability in the CGI program of some firewall versions could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could gain access to sensitive browser-based information if the malicious script is executed on the victim’s browser.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerability, as shown in the table below.
|Affected series||Affected version||Patch availability|
|ATP||ZLD V4.32~V5.31||ZLD V5.32|
|USG FLEX||ZLD V4.50~V5.31||ZLD V5.32|
|VPN||ZLD V4.30~V5.31||ZLD V5.32|
|ZyWALL/USG||ZLD V4.30~V4.72||ZLD V4.73|
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Thanks to Alessandro Sgreccia from Tecnical Service SRL for reporting the issue to us.
2022-12-06: Initial release.