Skip to main content

Vigor2860 Firmware CVE-2023-23313

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-03-03 cve@mitre.org
XSS Vigor2860 Firmware Vigor2860N Firmware Vigor2860N Plus Firmware Vigor2860Vn Plus Firmware Vigor2860Ac Firmware Vigor2860Vac Firmware Vigor2860L Firmware Vigor2860Ln Firmware Vigor2832 Firmware Vigor2832N Firmware Vigor2766 Firmware Vigor2766Ax Firmware Vigor2766Ac Firmware Vigor2766Vac Firmware Vigor2765 Firmware Vigor2765Ax Firmware Vigor2765Ac Firmware Vigor2765Va Firmware Vigor2763 Firmware Vigor2763Ac Firmware Vigor2762 Firmware Vigor2762N Firmware Vigor2762Ac Firmware Vigor2762Vac Firmware Vigor2135 Firmware Vigor2135Ax Firmware Vigor2135Ac Firmware Vigor2135Vac Firmware Vigor2135Fvac Firmware Vigor2133 Firmware Vigor2133N Firmware Vigor2133Ac Firmware Vigor2133Vac Firmware Vigor2133Fvac Firmware Vigor166 Firmware Vigor165 Firmware Vigor130 Firmware Vigornic 132 Firmware Vigor3910 Firmware Vigor3220 Firmware Vigor2962 Firmware Vigor2962P Firmware Vigor1000B Firmware Vigor2952 Firmware Vigor2952P Firmware Vigor2927 Firmware Vigor2927Ax Firmware Vigor2927Ac Firmware Vigor2927Vac Firmware Vigor2927F Firmware Vigor2927L Firmware Vigor2927Lac Firmware Vigor2926 Firmware Vigor2926N Firmware Vigor2926Ac Firmware Vigor2926Vac Firmware Vigor2926L Firmware Vigor2926Ln Firmware Vigor2926Lac Firmware Vigor2925 Firmware Vigor2925N Firmware Vigor2925N Plus Firmware Vigor2925Vn Plus Firmware Vigor2925Ac Firmware Vigor2925Vac Firmware Vigor2925Fn Firmware Vigor2925L Firmware Vigor2925Ln Firmware Vigor2915 Firmware Vigor2915Ac Firmware Vigor2866 Firmware Vigor2866Ax Firmware Vigor2866Ac Firmware Vigor2866Vac Firmware Vigor2866L Firmware Vigor2866Lac Firmware Vigor2865 Firmware Vigor2865Ax Firmware Vigor2865Ac Firmware Vigor2865Vac Firmware Vigor2865L Firmware Vigor2865Lac Firmware Vigor2862 Firmware Vigor2862N Firmware Vigor2862Ac Firmware Vigor2862Vac Firmware Vigor2862B Firmware Vigor2862Bn Firmware Vigor2862L Firmware Vigor2862Ln Firmware Vigor2862Lac Firmware
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 03, 2023 - 22:15 nvd
MEDIUM 6.1

DescriptionNVD

Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router's web application management portal. This affects Vigor3910, Vigor1000B, Vigor2962 v4.3.2.1; Vigor2865 and Vigor2866 v4.4.1.0; Vigor2927 v4.4.2.2; and Vigor2915, Vigor2765, Vigor2766, Vigor2135 v4.4.2.0; Vigor2763 v4.4.2.1; Vigor2862 and Vigor2926 v3.9.9.0; Vigor2925 v3.9.3; Vigor2952 and Vigor3220 v3.9.7.3; Vigor2133 and Vigor2762 v3.9.6.4; and Vigor2832 v3.9.6.2.

AnalysisAI

Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router's web application management portal. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router's web application management portal. This affects Vigor3910, Vigor1000B, Vigor2962 v4.3.2.1; Vigor2865 and Vigor2866 v4.4.1.0; Vigor2927 v4.4.2.2; and Vigor2915, Vigor2765, Vigor2766, Vigor2135 v4.4.2.0; Vigor2763 v4.4.2.1; Vigor2862 and Vigor2926 v3.9.9.0; Vigor2925 v3.9.3; Vigor2952 and Vigor3220 v3.9.7.3; Vigor2133 and Vigor2762 v3.9.6.4; and Vigor2832 v3.9.6.2. Affected products include: Draytek Vigor2860 Firmware, Draytek Vigor2860N Firmware, Draytek Vigor2860N-Plus Firmware, Draytek Vigor2860Vn-Plus Firmware, Draytek Vigor2860Ac Firmware.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2024-41592 HIGH POC
8.0 Oct 03

DrayTek Vigor3910 devices through 4.3.2.6 have a stack-based overflow when processing query string parameters because Ge

CVE-2024-51138 CRITICAL
9.8 Feb 27

Vigor165/166 4.2.7 and earlier; Vigor2620/LTE200 3.9.8.9 and earlier; Vigor2860/2925 3.9.8 and earlier; Vigor2862/2926 3

CVE-2024-51139 CRITICAL
9.8 Feb 27

Buffer Overflow vulnerability in Vigor2620/LTE200 3.9.8.9 and earlier and Vigor2860/2925 3.9.8 and earlier and Vigor2862

CVE-2024-41593 CRITICAL
9.8 Oct 03

DrayTek Vigor310 devices through 4.3.2.6 allow a remote attacker to execute arbitrary code via the function ft_payload_d

CVE-2024-41339 HIGH
8.8 Feb 27

An issue in the CGI endpoint used to upload configurations in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620

CVE-2024-41334 HIGH
8.8 Feb 27

Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vi

CVE-2024-41340 HIGH
8.4 Feb 27

An issue in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior t

CVE-2024-41596 HIGH
8.0 Oct 03

Buffer Overflow vulnerabilities exist in DrayTek Vigor310 devices through 4.3.2.6 (in the Vigor management UI) because o

CVE-2024-41590 HIGH
8.0 Oct 03

Several CGI endpoints are vulnerable to buffer overflows, by authenticated users, because of missing bounds checking on

CVE-2024-41588 HIGH
8.0 Oct 03

The CGI endpoints v2x00.cgi and cgiwcg.cgi of DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to buffer overflo

CVE-2024-41338 HIGH
7.5 Feb 27

A NULL pointer dereference in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor

CVE-2024-41594 HIGH
7.5 Oct 03

An issue in DrayTek Vigor310 devices through 4.3.2.6 allows an attacker to obtain sensitive information because the http

Share

CVE-2023-23313 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy