CVSS: 6.1EPSS: 0%CPEs: 18EXPL: 2CVE-2019-12581
https://notcve.org/view.php?id=CVE-2019-12581
A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter. Una vulnerabilidad reflexiva de cross-site-scripting (XSS) en el programa free_time_failed.cgi CGI en dispositivos seleccionados Zyxel ZyWall, USG y UAG permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro err_msg. • https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml https://www.zyxel.com/us/en • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 28EXPL: 1CVE-2019-12583
https://notcve.org/view.php?id=CVE-2019-12583
Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service. El control de acceso que falta en el componente "Tiempo libre" de varios dispositivos Zyxel UAG, USG y ZyWall permite que un atacante remoto genere cuentas de invitado al acceder directamente al generador de cuentas. Esto puede llevar a un acceso no autorizado a la red o a una denegación de servicio. • https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml • CWE-425: Direct Request ('Forced Browsing') •