CVE-2024-11667

Warnung

EPSS 50.99%
Veröffentlicht 27.11.2024 10:15:04
Zuletzt bearbeitet 05.12.2024 18:41:12
Quelle security@zyxel.com.tw
Teams Watchlist Login
Unerledigt Login

A directory traversal vulnerability in the web management interface of Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38, and USG20(W)-VPN series firmware versions V5.10 through V5.38 could allow an attacker to download or upload files via a crafted URL.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zyxel ≫ Zld Version >= 5.00 <= 5.38

   Zyxel ≫ Atp Version-
   Zyxel ≫ Atp100 Version-
   Zyxel ≫ Atp100w Version-
   Zyxel ≫ Atp200 Version-
   Zyxel ≫ Atp500 Version-
   Zyxel ≫ Atp700 Version-
   Zyxel ≫ Atp800 Version-

Zyxel ≫ Zld Version >= 5.00 <= 5.38

   Zyxel ≫ Usg Flex Version-
   Zyxel ≫ Usg Flex 100 Version-
   Zyxel ≫ Usg Flex 100ax Version-
   Zyxel ≫ Usg Flex 100w Version-
   Zyxel ≫ Usg Flex 200 Version-
   Zyxel ≫ Usg Flex 50 Version-
   Zyxel ≫ Usg Flex 500 Version-
   Zyxel ≫ Usg Flex 700 Version-

Zyxel ≫ Zld Version >= 5.10 <= 5.38

Zyxel ≫ Usg Flex 50w Version-

Zyxel ≫ Zld Version >= 5.10 <= 5.38

Zyxel ≫ Usg 20w-vpn Version-

03.12.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Zyxel Multiple Firewalls Path Traversal Vulnerability

Schwachstelle

Multiple Zyxel firewalls contain a path traversal vulnerability in the web management interface that could allow an attacker to download or upload files via a crafted URL.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	50.99%	0.977

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security@zyxel.com.tw	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-11667

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-11667

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-11667

EUVD