CVSS: 6.0EPSS: 0%CPEs: 66EXPL: 0CVE-2022-26414
https://notcve.org/view.php?id=CVE-2022-26414
A potential buffer overflow vulnerability was identified in some internal functions of Zyxel VMG3312-T20A firmware version 5.30(ABFX.5)C0, which could be exploited by a local authenticated attacker to cause a denial of service. Se ha identificado una potencial vulnerabilidad de desbordamiento de búfer en algunas funciones internas del firmware de Zyxel VMG3312-T20A versión 5.30(ABFX.5)C0, que podría ser aprovechada por un atacante local autenticado para causar una denegación de servicio • https://www.zyxel.com/support/OS-command-injection-and-buffer-overflow-vulnerabilities-of-CPE-and-ONTs.shtml • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.0EPSS: 0%CPEs: 66EXPL: 0CVE-2022-26413
https://notcve.org/view.php?id=CVE-2022-26413
A command injection vulnerability in the CGI program of Zyxel VMG3312-T20A firmware version 5.30(ABFX.5)C0 could allow a local authenticated attacker to execute arbitrary OS commands on a vulnerable device via a LAN interface. Una vulnerabilidad de inyección de comandos en el programa CGI del firmware de Zyxel VMG3312-T20A versión 5.30(ABFX.5)C0, podría permitir a un atacante local autenticado ejecutar comandos arbitrarios del Sistema Operativo en un dispositivo vulnerable por medio de una interfaz LAN • https://www.zyxel.com/support/OS-command-injection-and-buffer-overflow-vulnerabilities-of-CPE-and-ONTs.shtml • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-0556 – ZyXel AP Configurator Incorrect Permission Assignment Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-0556
A local privilege escalation vulnerability caused by incorrect permission assignment in some directories of the Zyxel AP Configurator (ZAC) version 1.1.4, which could allow an attacker to execute arbitrary code as a local administrator. Una vulnerabilidad de escalada de privilegios local causada por la asignación incorrecta de permisos en algunos directorios de Zyxel AP Configurator (ZAC) versión 1.1.4, que podría permitir a un atacante ejecutar código arbitrario como administrador local This vulnerability allows local attackers to escalate privileges on affected installations of ZyXel AP Configurator. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the installer. The issue results from incorrect permissions set on a directory. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of an Administrator. • https://www.zyxel.com/support/Zyxel-security-advisory-for-local-privilege-escalation-vulnerability-of-AP-Configurator.shtml • CWE-269: Improper Privilege Management CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 6%CPEs: 48EXPL: 0CVE-2022-0342
https://notcve.org/view.php?id=CVE-2022-0342
An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device. Una vulnerabilidad de omisión de autenticación en el programa CGI de USG/ZyWALL de Zyxel versiones de firmware de las series 4.20 a 4.70, las versiones de firmware de la serie USG FLEX 4.50 a 5.20, las versiones de firmware de la serie ATP 4.32 a 5.20, las versiones de firmware de la serie VPN 4.30 a 5.20 y las versiones de firmware de la serie NSG V1.20 a V1.33 Parche 4, que podría permitir a un atacante omitir la autenticación web y obtener acceso administrativo al dispositivo • https://www.zyxel.com/support/Zyxel-security-advisory-for-authentication-bypass-vulnerability-of-firewalls.shtml • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 14%CPEs: 2EXPL: 3CVE-2021-46387 – Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-46387
ZyXEL ZyWALL 2 Plus Internet Security Appliance is affected by Cross Site Scripting (XSS). Insecure URI handling leads to bypass security restriction to achieve Cross Site Scripting, which allows an attacker able to execute arbitrary JavaScript codes to perform multiple attacks such as clipboard hijacking and session hijacking. ZyXEL ZyWALL 2 Plus Internet Security Appliance está afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS). Un manejo no seguro de URI conlleva a omitir la restricción de seguridad para lograr una vulnerabilidad de tipo Cross Site Scripting, lo que permite a un atacante capaz de ejecutar códigos JavaScript arbitrarios para llevar a cabo múltiples ataques como el secuestro del portapapeles y el secuestro de la sesión. Zyxel ZyWALL 2 Plus suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/50797 http://packetstormsecurity.com/files/166189/Zyxel-ZyWALL-2-Plus-Cross-Site-Scripting.html https://drive.google.com/drive/folders/1_XfWBLqxT2Mqt7uB663Sjlc62pE8-rcN?usp=sharing https://www.zyxel.com/uk/en/products_services/zywall_2_plus.shtml https://www.zyxel.com/us/en/support/security_advisories.shtml • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •