Vulnerabilities > Zyxel

DATE CVE VULNERABILITY TITLE RISK
2024-09-24 CVE-2024-38267 Unspecified vulnerability in Zyxel products
An improper restriction of operations within the bounds of a memory buffer in the IPv6 address parser of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.
network
low complexity
zyxel
4.9
2024-09-24 CVE-2024-38268 Unspecified vulnerability in Zyxel products
An improper restriction of operations within the bounds of a memory buffer in the MAC address parser of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.
network
low complexity
zyxel
4.9
2024-09-24 CVE-2024-38269 Unspecified vulnerability in Zyxel products
An improper restriction of operations within the bounds of a memory buffer in the USB file-sharing handler of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.
network
low complexity
zyxel
4.9
2024-09-10 CVE-2024-38270 Insufficient Entropy vulnerability in Zyxel products
An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0.
low complexity
zyxel CWE-331
6.5
2024-09-03 CVE-2024-42061 Cross-site Scripting vulnerability in Zyxel ZLD Firmware 4.30/4.55
A reflected cross-site scripting (XSS) vulnerability in the CGI program "dynamic_script.cgi" of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an attacker to trick a user into visiting a crafted URL with the XSS payload.
network
low complexity
zyxel CWE-79
6.1
2024-09-03 CVE-2024-7261 OS Command Injection vulnerability in Zyxel products
The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.
network
low complexity
zyxel CWE-78
critical
9.8
2024-09-03 CVE-2024-42057 OS Command Injection vulnerability in Zyxel ZLD Firmware 4.30/4.55
A command injection vulnerability in the IPSec VPN feature of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device.
network
high complexity
zyxel CWE-78
8.1
2024-09-03 CVE-2024-42058 NULL Pointer Dereference vulnerability in Zyxel ZLD Firmware 4.30/4.55
A null pointer dereference vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V5.20 through V5.38, and USG20(W)-VPN series firmware versions from V5.20 through V5.38 could allow an unauthenticated attacker to cause DoS conditions by sending crafted packets to a vulnerable device.
network
low complexity
zyxel CWE-476
7.5
2024-09-03 CVE-2024-42059 OS Command Injection vulnerability in Zyxel ZLD Firmware
A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V5.00 through V5.38, USG FLEX series firmware versions from V5.00 through V5.38, USG FLEX 50(W) series firmware versions from V5.00 through V5.38, and USG20(W)-VPN series firmware versions from V5.00 through V5.38 could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted compressed language file via FTP.
network
low complexity
zyxel CWE-78
7.2
2024-09-03 CVE-2024-42060 OS Command Injection vulnerability in Zyxel ZLD Firmware 4.30/4.55
A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted internal user agreement file to the vulnerable device.
network
low complexity
zyxel CWE-78
7.2