2FA VPN Authorization email link is vulnerable to XSS injection
Options
Hello,
We have recently enabled 2 Factor Authentication for VPN Access on a Zywall 110. We noticed that the Authentication link is vulnerable to XSS injection, as displayed below:
https://Address/2FA-access.cgi?key=%22;%20alert(1)//
We removed the Address, but this is the link that is sent via email. We have modified the key to show a proof of concept.
Will there be a fix for this in future firmware updates?
We look forward to your reply.
We have recently enabled 2 Factor Authentication for VPN Access on a Zywall 110. We noticed that the Authentication link is vulnerable to XSS injection, as displayed below:
https://Address/2FA-access.cgi?key=%22;%20alert(1)//
We removed the Address, but this is the link that is sent via email. We have modified the key to show a proof of concept.
Will there be a fix for this in future firmware updates?
We look forward to your reply.
0
All Replies
-
Hi @inchica,We are aware of this issue and will fix it in the next official version.1
Categories
- All Categories
- 442 Beta Program
- 3K Nebula
- 231 Nebula Ideas
- 131 Nebula Status and Incidents
- 6.6K Security
- 672 USG FLEX H Series
- 360 Security Ideas
- 1.8K Switch
- 87 Switch Ideas
- 1.4K Wireless
- 56 Wireless Ideas
- 7.1K Consumer Product
- 307 Service & License
- 500 News and Release
- 96 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 5.1K FAQ
- 34 Documents
- 89 About Community
- 111 Security Highlight
Freshman Member
Zyxel Employee