vendor:
ZyWALL 2 Plus
by:
Momen Eldawakhly (CyberGuy)
6.1
CVSS
MEDIUM
Cross-Site Scripting (XSS)
79
CWE
Product Name: ZyWALL 2 Plus
Affected Version From: ZyWALL 2 Plus
Affected Version To: ZyWALL 2 Plus
Patch Exists: YES
Related CWE: CVE-2021-46387
CPE: h:zyxel:zywall_2_plus
Tags: cve,cve2021,xss,zyxel,edb
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Nuclei References:
https://www.exploit-db.com/exploits/50797, https://www.zyxel.com/us/en/support/security_advisories.shtml, https://drive.google.com/drive/folders/1_XfWBLqxT2Mqt7uB663Sjlc62pE8-rcN?usp=sharing, https://nvd.nist.gov/vuln/detail/CVE-2021-46387, https://www.zyxel.com/uk/en/products_services/zywall_2_plus.shtml
Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.title:"Zywall2Plus"', 'vendor': 'zyxel', 'product': 'zywall_2_plus_internet_security_appliance_firmware'}
Platforms Tested: Ubuntu Linux [Firefox]
2022
Zyxel ZyWALL 2 Plus Internet Security Appliance – Cross-Site Scripting (XSS)
A Cross-Site Scripting (XSS) vulnerability was discovered in the ZyWALL 2 Plus Internet Security Appliance. An attacker can exploit this vulnerability by sending a malicious HTTP request to the vulnerable server. The malicious request contains a malicious payload in the form of an image tag with an onerror attribute that triggers a JavaScript prompt. This can be used to execute arbitrary JavaScript code in the context of the vulnerable server.
Mitigation:
The vendor has released a patch to address this vulnerability. Users should update their ZyWALL 2 Plus Internet Security Appliance to the latest version.
