CVE-2022-40603 MEDIUM

CVE-2022-40603

Vendor Zyxel

Product ZyWALL/USG series firmware

Weakness CWE-79 · XSS

Published December 6, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

4.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser.

Key dates

02Disclosure timeline

December 6, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-40603 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2022-40603

CWE CWE-79

CVSS 4.7 / MEDIUM

Affected versions

Vendor Zyxel

Product ZyWALL/USG series firmware

Affected 4.30 through 4.72

Vendor Zyxel

Product VPN series firmware

Affected 4.30 through 5.31

Vendor Zyxel

Product USG FLEX series firmware

Affected 4.50 through 5.31

Vendor Zyxel

Product ATP series firmware

Affected 4.32 through 5.31

CVE-2022-40603

01Description

02Disclosure timeline

03References

04Related CVE