Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-23313: Cross-Site Scripting vulnerability (CVE-2023-23313) | DrayTek

Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router’s web application management portal. This affects Vigor3910, Vigor1000B, Vigor2962 v4.3.2.1; Vigor2865 and Vigor2866 v4.4.1.0; Vigor2927 v4.4.2.2; and Vigor2915, Vigor2765, Vigor2766, Vigor2135 v4.4.2.0; Vigor2763 v4.4.2.1; Vigor2862 and Vigor2926 v3.9.9.0; Vigor2925 v3.9.3; Vigor2952 and Vigor3220 v3.9.7.3; Vigor2133 and Vigor2762 v3.9.6.4; and Vigor2832 v3.9.6.2.

CVE
Open in Source
#xss#vulnerability#web#java#auth

A Cross-Site Scripting vulnerability in the hotspot web portal and user management login page on Draytek Routers (CVE-2023-23313) has been discovered.

It is possible for an authenticated attacker to inject and store arbitrary JavaScript code into the user’s browser by using the vulnerable CGI script. Since the injected code is stored permanently, every user visiting the web application will trigger the stored malicious payload. DrayTek will release new firmwares with security updates for Cross-Site Scripting vulnerability as follows.

Model

Fixed Firmware Version

Vigor3910

4.3.2.2

Vigor3220 Series

3.9.7.4

Vigor2962 Series

4.3.2.2

Vigor1000B

4.3.2.2

Vigor2952 / 2952P

3.9.7.4

Vigor2927 Series

4.4.2.3

Vigor2927 LTE Series

4.4.2.3

Vigor2926 Series

3.9.9.1

Vigor2926 LTE Series

3.9.9.1

Vigor2925 Series

3.9.4

Vigor2925 LTE Series

3.9.4

Vigor2915 Series

4.4.2.1

Vigor2866 Series

4.4.1.1

Vigor2866 LTE Series

4.4.1.1

Vigor2865 Series

4.4.1.1

Vigor2865 LTE Series

4.4.1.1

Vigor2862 Series

3.9.9.1

Vigor2862 LTE Series

3.9.9.1

Vigor2860 Series

3.9.4

Vigor2860 LTE Series

3.9.4

Vigor2832 Series

3.9.6.3

Vigor2766 Series

4.4.2.1

Vigor2765 Series

4.4.2.1

Vigor2763 Series

4.4.2.2

Vigor2762 Series

3.9.6.5

Vigor2135 Series

4.4.2.1

Vigor2133 Series

3.9.6.5

Vigor166

4.2.4.1

Vigor165

4.2.4.1

Vigor130

3.8.5.1

VigorNIC 132

3.8.5.1

Contact Technical Support

Should you have any security-related inquiry regarding one of our products, please contact DrayTek Technical Support.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE