CVE-2023-27990 MEDIUM

CVE-2023-27990

Vendor Zyxel
Product ATP series firmware
Weakness CWE-79 · XSS
Published April 24, 2023
Last update August 2, 2024
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device.

Key dates

02Disclosure timeline

April 24, 2023 CVE published
August 2, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-49523 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2025-48170 WordPress Universal Video Player - Addon for WPBakery Page Builder <= 3.2.1 - Cross Site Scripting (XSS) Vulnerability CVE-2024-0587 Accelerated Mobile Pages <= 1.0.92.1 - Reflected Cross-Site Scripting CVE-2025-5538 BNS Featured Category <= 2.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2021-25015 myCred < 2.4 - Reflected Cross-Site Scripting