CVE-2024-11667

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-11667
A directory traversal vulnerability in the web management interface of Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38, and USG20(W)-VPN series firmware versions V5.10 through V5.38 could allow an attacker to download or upload files via a crafted URL.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024 Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*
OR cpe:2.3:h:zyxel:atp:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*
OR cpe:2.3:h:zyxel:usg_flex:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100ax:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*
History

05 Dec 2024, 18:41

Type Values Removed Values Added
References () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024 - () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024 - Vendor Advisory
First Time Zyxel usg Flex 100
Zyxel atp500
Zyxel atp800
Zyxel usg Flex 500
Zyxel atp200
Zyxel usg Flex 50w
Zyxel usg Flex
Zyxel atp700
Zyxel zld
Zyxel usg 20w-vpn
Zyxel usg Flex 50
Zyxel usg Flex 200
Zyxel usg Flex 100ax
Zyxel usg Flex 100w
Zyxel atp
Zyxel
Zyxel usg Flex 700
Zyxel atp100w
Zyxel atp100
CPE cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100ax:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*

28 Nov 2024, 03:15

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de directory traversal en la interfaz de administración web de las versiones de firmware de la serie Zyxel ATP V5.00 a V5.38, las versiones de firmware de la serie USG FLEX V5.00 a V5.38, las versiones de firmware de la serie USG FLEX 50(W) V5.10 a V5.38 y las versiones de firmware de la serie USG20(W)-VPN V5.10 a V5.38 podría permitir que un atacante descargue o cargue archivos a través de una URL manipulada específicamente.
References
  • {'url': 'https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-21-2024', 'source': 'security@zyxel.com.tw'}
  • () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024 -

27 Nov 2024, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-11-27 10:15

Updated : 2024-12-05 18:41

NVD link : CVE-2024-11667

Mitre link : CVE-2024-11667

CVE.ORG link : CVE-2024-11667

JSON object : View

Products Affected

zyxel

  • zld
  • atp700
  • atp500
  • atp800
  • usg_flex_50
  • usg_flex_500
  • usg_flex_100ax
  • usg_flex_50w
  • usg_flex_200
  • usg_flex_700
  • usg_20w-vpn
  • atp100
  • usg_flex_100
  • atp200
  • usg_flex_100w
  • atp100w
  • usg_flex
  • atp
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')