Vulnerabilities > Zyxel

DATE CVE VULNERABILITY TITLE RISK
2024-11-27 CVE-2024-11667 Path Traversal vulnerability in Zyxel ZLD
A directory traversal vulnerability in the web management interface of Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38, and USG20(W)-VPN series firmware versions V5.10 through V5.38 could allow an attacker to download or upload files via a crafted URL.
network
low complexity
zyxel CWE-22
critical
9.8
2024-11-12 CVE-2024-8881 OS Command Injection vulnerability in Zyxel products
A post-authentication command injection vulnerability in the CGI program in the Zyxel GS1900-48 switch firmware version V2.80(AAHN.1)C0 and earlier could allow an authenticated, LAN-based attacker with administrator privileges to execute some operating system (OS) commands on an affected device by sending a crafted HTTP request.
low complexity
zyxel CWE-78
6.8
2024-11-12 CVE-2024-8882 Classic Buffer Overflow vulnerability in Zyxel products
A buffer overflow vulnerability in the CGI program in the Zyxel GS1900-48 switch firmware version V2.80(AAHN.1)C0 and earlier could allow an authenticated, LAN-based attacker with administrator privileges to cause denial of service (DoS) conditions via a crafted URL.
low complexity
zyxel CWE-120
4.5
2024-10-22 CVE-2024-9677 Insufficiently Protected Credentials vulnerability in Zyxel UOS 1.20/1.21
The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator.
local
low complexity
zyxel CWE-522
7.8
2024-09-24 CVE-2024-38267 Unspecified vulnerability in Zyxel products
An improper restriction of operations within the bounds of a memory buffer in the IPv6 address parser of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.
network
low complexity
zyxel
4.9
2024-09-24 CVE-2024-38268 Unspecified vulnerability in Zyxel products
An improper restriction of operations within the bounds of a memory buffer in the MAC address parser of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.
network
low complexity
zyxel
4.9
2024-09-24 CVE-2024-38269 Unspecified vulnerability in Zyxel products
An improper restriction of operations within the bounds of a memory buffer in the USB file-sharing handler of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.
network
low complexity
zyxel
4.9
2024-09-10 CVE-2024-38270 Insufficient Entropy vulnerability in Zyxel products
An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0.
low complexity
zyxel CWE-331
6.5
2024-09-03 CVE-2024-42061 Cross-site Scripting vulnerability in Zyxel ZLD
A reflected cross-site scripting (XSS) vulnerability in the CGI program "dynamic_script.cgi" of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an attacker to trick a user into visiting a crafted URL with the XSS payload.
network
low complexity
zyxel CWE-79
6.1
2024-09-03 CVE-2024-7261 OS Command Injection vulnerability in Zyxel products
The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.
network
low complexity
zyxel CWE-78
critical
9.8