CVE-2023-23313

high-risk

Published 2023-03-03

Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router's web application management portal. This affects Vigor3910, Vigor1000B, Vigor2962 v4.3.2.1; Vigor2865 and Vigor2866 v4.4.1.0; Vigor2927 v4.4.2.2; and Vigor2915, Vigor2765, Vigor2766, Vigor2135 v4.4.2.0; Vigor2763 v4.4.2.1; Vigor2862 and Vigor2926 v3.9.9.0; Vigor2925 v3.9.3; Vigor2952 and Vigor3220 v3.9.7.3; Vigor2133 and Vigor2762 v3.9.6.4; and Vigor2832 v3.9.6.2.

Do I need to act?

0.61% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Vigor2860 Firmware

Vigor2860N Firmware

Vigor2860N-Plus Firmware

Vigor2860Vn-Plus Firmware

Vigor2860Ac Firmware

Vigor2860Vac Firmware

Vigor2860L Firmware

Vigor2860Ln Firmware

Vigor2832 Firmware

Vigor2832N Firmware

Vigor2766 Firmware

Vigor2766Ax Firmware

Vigor2766Ac Firmware

Vigor2766Vac Firmware

Vigor2765 Firmware

Vigor2765Ax Firmware

Vigor2765Ac Firmware

Vigor2765Va Firmware

Vigor2763 Firmware

Vigor2763Ac Firmware

Affected Vendors

Draytek

References (4)

Vendor Advisory https://www.draytek.com/about/security-advisory/cross-site-scripting-vulnerabili...

Third Party Advisory https://www.horizonconsulting.com/advisories23-Multiple-XSS-Stored-in-DrayTek-ro...

Vendor Advisory https://www.draytek.com/about/security-advisory/cross-site-scripting-vulnerabili...

Third Party Advisory https://www.horizonconsulting.com/advisories23-Multiple-XSS-Stored-in-DrayTek-ro...

/ 100

high-risk

Severity 23/34 · High

Exploitability 2/34 · Minimal

Exposure 29/34 · Critical