CVE-2019-12583 Information

Description

Missing Access Control in the \Free Time\ component of several Zyxel UAG USG and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Reference

https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/ https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.1