Security Advisory: Cross-Site Scripting vulnerability (CVE-2023-23313)


Models Affected: See table below
Priority: Critical

Action Required: Check firmware version on units and upgrade if required

A Cross-Site Scripting vulnerability in the hotspot web portal and user management login page on Draytek Routers (CVE-2023-23313) has been discovered.

It is possible for an unauthenticated attacker to inject and store arbitrary JavaScript code into the user's browser by using the vulnerable CGI script. Since the injected code is stored in memory (until the router is rebooted), every user visiting the web portal or user management login page will trigger the stored malicious payload. DrayTek will release new firmwares with security updates for Cross-Site Scripting vulnerability as follows.

ModelFixed Firmware Version
Vigor3220 Series
Vigor2962 Series
Vigor2952 / 2952P
Vigor2927 Series
Vigor2927 LTE Series
Vigor2926 Series
Vigor2926 LTE Series
Vigor2925 Series 3.9.4
Vigor2925 LTE Series 3.9.4
Vigor2915 Series
Vigor2866 Series
Vigor2866 LTE Series
Vigor2865 Series
Vigor2865 LTE Series
Vigor2862 Series
Vigor2862 LTE Series
Vigor2860 Series 3.9.4
Vigor2860 LTE Series 3.9.4
Vigor2832 Series
Vigor2766 Series
Vigor2765 Series
Vigor2763 Series
Vigor2762 Series
Vigor2135 Series
Vigor2133 Series
VigorNIC 132

Any updates or changes in the situation will be posted here.

Update Mailing List (UK/Ireland)

UK/Ireland  users  should  subscribe  to our mailing-list in order to receive  timely  notifications  of  firmware  or critical updates like this and as a general rule of best practice, always keep all of your products firmware up to date and check for updates.

Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.