Advisories

CVE-2006-3929: Zyxel Prestige 660H-61 Cross-Site Scripting

31 July, 2006

Tags: , ,

CVSS Score
4.3
Confidentiality Impact None (There is no impact to the confidentiality of the system.)
Integrity Impact Partial (Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Availability Impact None (There is no impact to the availability of the system.)
Access Complexity Medium (The access conditions are somewhat specialized. Some preconditions must be satistified to exploit)
Authentication Not required (Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s) Cross Site Scripting
CWE ID CWE id is not defined for this vulnerability

Tested on Zyxel Prestige 660H-61
ZyNOS F/W Version: V3.40(PT.0)b32 | 1/28/2005
Standard:NORMAL

Discovered by: José Ramón Palanco: jpalanco@gmail.com

Description:

Zyxel Prestige 660H-61 ADSL Router is vulnerable to a security vulnerability that allows Cross-Site Scripting attacks.
Due to improper filtering, a remote attacker can exploit a cross-site scripting in this script:

http://router/Forms/rpSysAdmin?a=%3Cscript%3Ealert(‘www.eazel.es’)%3C/script%3E

 

Share with your friends










Submit

Author

Jose Palanco

VP Threat Intelligence at ElevenPaths

Your email address will not be published.