BLOG HOME > Zyxel Devices Vulnerable to Cross-Site Scripting on Login page

Zyxel Devices Vulnerable to Cross-Site Scripting on Login page

Author: Aaron Bishop

CVE - 2019 - 9955

A reflected Cross Scripting vulnerability, CVE-2019-9955, was identified on several Zyxel devices, specifically on pages that use the mp_idx parameter. The affected pages (listed later in this report) do not require authentication.

The issue was identified during a network layer penetration test performed by SecurityMetrics, Inc.. During

this assessment, several Zyxel devices appeared on the customer's port scan. Log in pages (similar to the screenshot shown below) were accessible.

Zyxel documentation was used to determine valid parameters (including web_portal_html_guide.pdf [ftp://ftp.zyxel.it/guide/hotspot/uag2100_4100_5100_web_portal_html_guide.pdf], as shown below ).

A request such as:

Specifies an mp_idx parameter which is included unsanitized in the page:



▶ Affected Pages and Devices

Additional devices and pages may also be vulnerable, however, this issue was identified during a black-box test; credentials were not provided, pages requiring authentication were not tested, additional devices were not available for testing.



We are excited to work with you.

*Required

Thank you!

Your request has been submitted.