2FA VPN Authorization email link is vulnerable to XSS injection


We have recently enabled 2 Factor Authentication for VPN Access on a Zywall 110.  We noticed that the Authentication link is vulnerable to XSS injection, as displayed below:


We removed the Address, but this is the link that is sent via email.  We have modified the key to show a proof of concept.  

Will there be a fix for this in future firmware updates?

We look forward to your reply.

All Replies

Security Highlight