FKIE_CVE-2025-26202

Vulnerability from fkie_nvd - Published: 2025-03-04 19:15 - Updated: 2025-03-14 20:15
Severity ?
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-Site Scripting (XSS) vulnerability exists in the WPA/WAPI Passphrase field of the Wireless Security settings (2.4GHz & 5GHz bands) in DZS Router Web Interface. An authenticated attacker can inject malicious JavaScript into the passphrase field, which is stored and later executed when an administrator views the passphrase via the "Click here to display" option on the Status page
References
cve@mitre.orghttps://github.com/A17-ba/CVE-2025-26202-Details
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/A17-ba/CVE-2025-26202-Details
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-Site Scripting (XSS) vulnerability exists in the WPA/WAPI Passphrase field of the Wireless Security settings (2.4GHz \u0026 5GHz bands) in DZS Router Web Interface. An authenticated attacker can inject malicious JavaScript into the passphrase field, which is stored and later executed when an administrator views the passphrase via the \"Click here to display\" option on the Status page"
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de cross site scripting (XSS) en el campo Frase de contrase\u00f1a WPA/WAPI de la configuraci\u00f3n de seguridad inal\u00e1mbrica (bandas de 2,4 GHz y 5 GHz) en la interfaz web del enrutador DZS. Un atacante autenticado puede inyectar c\u00f3digo JavaScript malicioso en el campo de frase de contrase\u00f1a, que se almacena y se ejecuta posteriormente cuando un administrador ve la frase de contrase\u00f1a a trav\u00e9s de la opci\u00f3n \"Haga clic aqu\u00ed para visualizar\" en la p\u00e1gina de estado."
    }
  ],
  "id": "CVE-2025-26202",
  "lastModified": "2025-03-14T20:15:14.167",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-04T19:15:38.640",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/A17-ba/CVE-2025-26202-Details"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/A17-ba/CVE-2025-26202-Details"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.