2FA VPN Authorization email link is vulnerable to XSS injection
Freshman Member
Hello,
We have recently enabled 2 Factor Authentication for VPN Access on a Zywall 110. We noticed that the Authentication link is vulnerable to XSS injection, as displayed below:
https://Address/2FA-access.cgi?key=%22;%20alert(1)//
We removed the Address, but this is the link that is sent via email. We have modified the key to show a proof of concept.
Will there be a fix for this in future firmware updates?
We look forward to your reply.
We have recently enabled 2 Factor Authentication for VPN Access on a Zywall 110. We noticed that the Authentication link is vulnerable to XSS injection, as displayed below:
https://Address/2FA-access.cgi?key=%22;%20alert(1)//
We removed the Address, but this is the link that is sent via email. We have modified the key to show a proof of concept.
Will there be a fix for this in future firmware updates?
We look forward to your reply.
0
All Replies
-
Hi @inchica,We are aware of this issue and will fix it in the next official version.1
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 103 Nebula Status and Incidents
- 5.8K Security
- 298 USG FLEX H Series
- 282 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight
