Details of VAR-202203-0913

ID

VAR-202203-0913

CVE

CVE-2021-46387

TITLE

Zyxel ZyWALL 2 Plus Cross-Site Scripting Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2022-21825

DESCRIPTION

ZyXEL ZyWALL 2 Plus Internet Security Appliance is affected by Cross Site Scripting (XSS). Insecure URI handling leads to bypass security restriction to achieve Cross Site Scripting, which allows an attacker able to execute arbitrary JavaScript codes to perform multiple attacks such as clipboard hijacking and session hijacking. Zyxel ZyWALL 2 Plus is a firewall appliance for corporate environments from Zyxel, China. The Zyxel ZyWALL 2 Plus has a cross-site scripting vulnerability that stems from a lack of data validation filtering for user-supplied data and output

Trust: 1.53

sources: NVD: CVE-2021-46387 // CNVD: CNVD-2022-21825 // VULMON: CVE-2021-46387

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-21825

AFFECTED PRODUCTS

vendor:	zyxel	model:	zywall 2 plus internet security appliance	scope:	eq	version:	-	Trust: 1.0
vendor:	zyxel	model:	zywall plus	scope:	eq	version:	2	Trust: 0.6

sources: CNVD: CNVD-2022-21825 // NVD: CVE-2021-46387

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2021-46387
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2022-21825
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202203-021
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2021-46387
value:	MEDIUM
Trust: 0.1

NVD:
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	TRUE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2022-21825
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULMON:	CVE-2021-46387
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

NVD:
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2022-21825 // VULMON: CVE-2021-46387 // CNNVD: CNNVD-202203-021 // NVD: CVE-2021-46387

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.0

sources: NVD: CVE-2021-46387

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-021

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202203-021

CONFIGURATIONS

sources: NVD: CVE-2021-46387

PATCH

title:	Patch for Zyxel ZyWALL 2 Plus Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchinfo/show/327041	Trust: 0.6
title:	Zyxel Zywall310 Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=184918	Trust: 0.6
title:	Kenzer Templates [5170] [DEPRECATED]	url:	https://github.com/arpsyndicate/kenzer-templates	Trust: 0.1

sources: CNVD: CNVD-2022-21825 // VULMON: CVE-2021-46387 // CNNVD: CNNVD-202203-021

EXTERNAL IDS

db:	NVD	id:	CVE-2021-46387	Trust: 2.3
db:	PACKETSTORM	id:	166189	Trust: 1.7
db:	CNVD	id:	CNVD-2022-21825	Trust: 0.6
db:	EXPLOIT-DB	id:	50797	Trust: 0.6
db:	CXSECURITY	id:	WLB-2022030022	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-021	Trust: 0.6
db:	VULMON	id:	CVE-2021-46387	Trust: 0.1

sources: CNVD: CNVD-2022-21825 // VULMON: CVE-2021-46387 // CNNVD: CNNVD-202203-021 // NVD: CVE-2021-46387

REFERENCES

url:	http://packetstormsecurity.com/files/166189/zyxel-zywall-2-plus-cross-site-scripting.html	Trust: 2.4
url:	https://www.zyxel.com/us/en/support/security_advisories.shtml	Trust: 1.7
url:	https://drive.google.com/drive/folders/1_xfwblqxt2mqt7ub663sjlc62pe8-rcn?usp=sharing	Trust: 1.7
url:	https://www.zyxel.com/uk/en/products_services/zywall_2_plus.shtml	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-46387	Trust: 0.6
url:	https://cxsecurity.com/issue/wlb-2022030022	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2021-46387/	Trust: 0.6
url:	https://www.exploit-db.com/exploits/50797	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/arpsyndicate/kenzer-templates	Trust: 0.1

sources: CNVD: CNVD-2022-21825 // VULMON: CVE-2021-46387 // CNNVD: CNNVD-202203-021 // NVD: CVE-2021-46387

CREDITS

Momen Eldawakhly

Trust: 0.6

sources: CNNVD: CNNVD-202203-021

SOURCES

db:	CNVD	id:	CNVD-2022-21825
db:	VULMON	id:	CVE-2021-46387
db:	CNNVD	id:	CNNVD-202203-021
db:	NVD	id:	CVE-2021-46387

LAST UPDATE DATE

2024-02-13T23:04:54.167000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-21825	date:	2022-03-23T00:00:00
db:	VULMON	id:	CVE-2021-46387	date:	2022-03-09T00:00:00
db:	CNNVD	id:	CNNVD-202203-021	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2021-46387	date:	2022-03-09T13:17:47.150

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-21825	date:	2022-03-23T00:00:00
db:	VULMON	id:	CVE-2021-46387	date:	2022-03-01T00:00:00
db:	CNNVD	id:	CNNVD-202203-021	date:	2022-03-01T00:00:00
db:	NVD	id:	CVE-2021-46387	date:	2022-03-01T15:15:07.887