CVE-2023-23313 — MEDIUM (6.1)

Q: How severe is CVE-2023-23313?

CVE-2023-23313 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-23313?

Check the references section above for vendor advisories and patch information. Affected products include: Draytek Vigor2860 Firmware, Draytek Vigor2860, Draytek Vigor2860N Firmware, Draytek Vigor2860N, Draytek Vigor2860N-Plus Firmware.

Vulnerability Description

Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router's web application management portal. This affects Vigor3910, Vigor1000B, Vigor2962 v4.3.2.1; Vigor2865 and Vigor2866 v4.4.1.0; Vigor2927 v4.4.2.2; and Vigor2915, Vigor2765, Vigor2766, Vigor2135 v4.4.2.0; Vigor2763 v4.4.2.1; Vigor2862 and Vigor2926 v3.9.9.0; Vigor2925 v3.9.3; Vigor2952 and Vigor3220 v3.9.7.3; Vigor2133 and Vigor2762 v3.9.6.4; and Vigor2832 v3.9.6.2.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Draytek	Vigor2860 Firmware	< 3.9.4
Draytek	Vigor2860	-
Draytek	Vigor2860N Firmware	< 3.9.4
Draytek	Vigor2860N	-
Draytek	Vigor2860N-Plus Firmware	< 3.9.4
Draytek	Vigor2860N-Plus	-
Draytek	Vigor2860Vn-Plus Firmware	< 3.9.4
Draytek	Vigor2860Vn-Plus	-
Draytek	Vigor2860Ac Firmware	< 3.9.4
Draytek	Vigor2860Ac	-
Draytek	Vigor2860Vac Firmware	< 3.9.4
Draytek	Vigor2860Vac	-
Draytek	Vigor2860L Firmware	< 3.9.4
Draytek	Vigor2860L	-
Draytek	Vigor2860Ln Firmware	< 3.9.4
Draytek	Vigor2860Ln	-
Draytek	Vigor2832 Firmware	< 3.9.6.3
Draytek	Vigor2832	-
Draytek	Vigor2832N Firmware	< 3.9.6.3
Draytek	Vigor2832N	-

Related Weaknesses (CWE)

CWE-79

References

https://www.draytek.com/about/security-advisory/cross-site-scripting-vulnerabiliVendor Advisory
https://www.horizonconsulting.com/advisories23-Multiple-XSS-Stored-in-DrayTek-roThird Party Advisory
https://www.draytek.com/about/security-advisory/cross-site-scripting-vulnerabiliVendor Advisory
https://www.horizonconsulting.com/advisories23-Multiple-XSS-Stored-in-DrayTek-roThird Party Advisory

FAQ

What is CVE-2023-23313?

CVE-2023-23313 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router's web application management portal. This affects Vigor3910, Vig...

How severe is CVE-2023-23313?

CVE-2023-23313 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-23313?

Check the references section above for vendor advisories and patch information. Affected products include: Draytek Vigor2860 Firmware, Draytek Vigor2860, Draytek Vigor2860N Firmware, Draytek Vigor2860N, Draytek Vigor2860N-Plus Firmware.