CVE-2022-0342
https://notcve.org/view.php?id=CVE-2022-0342
An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device. Una vulnerabilidad de omisión de autenticación en el programa CGI de USG/ZyWALL de Zyxel versiones de firmware de las series 4.20 a 4.70, las versiones de firmware de la serie USG FLEX 4.50 a 5.20, las versiones de firmware de la serie ATP 4.32 a 5.20, las versiones de firmware de la serie VPN 4.30 a 5.20 y las versiones de firmware de la serie NSG V1.20 a V1.33 Parche 4, que podría permitir a un atacante omitir la autenticación web y obtener acceso administrativo al dispositivo • https://www.zyxel.com/support/Zyxel-security-advisory-for-authentication-bypass-vulnerability-of-firewalls.shtml • CWE-287: Improper Authentication •
CVE-2021-35029
https://notcve.org/view.php?id=CVE-2021-35029
An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device. Una vulnerabilidad de omisión de la autenticación en la interfaz de administración basada en web de Zyxel USG/Zywall series versiones de firmware 4.35 hasta 4.64 y USG Flex, ATP, y VPN versiones de firmware 4.35 hasta 5.01, que podría permitir a un atacante remoto ejecutar comandos arbitrarios en un dispositivo afectado • https://www.zyxel.com/support/Zyxel_security_advisory_for_attacks_against_security_appliances.shtml • CWE-287: Improper Authentication •
CVE-2019-9955 – Zyxel ZyWall 310 / ZyWall 110 / USG1900 / ATP500 / USG40 - Login Page Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-9955
On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security firewall login page is vulnerable to Reflected XSS via the unsanitized 'mp_idx' parameter. En dispositivos Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100. La página de inicio de sesión del servidor de seguridad es vulnerable a Reflected XSS por medio del parámetro 'mp_idx' no saneado. ZyWall 310, ZyWall 110, USG1900, ATP500, and USG40 devices suffer from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/46706 http://packetstormsecurity.com/files/152525/Zyxel-ZyWall-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Apr/22 https://www.securitymetrics.com/blog/Zyxel-Devices-Vulnerable-Cross-Site-Scripting-Login-page https://www.zyxel.com/support/reflected-cross-site-scripting-vulnerability-of-firewalls.shtml • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •