Security Advisory: Cross-Site Scripting vulnerability (CVE-2023-23313)
ExpiredModels Affected: See table below
Priority: Critical
Action Required: Check firmware version on units and upgrade if required
A Cross-Site Scripting vulnerability in the hotspot web portal and user management login page on Draytek Routers (CVE-2023-23313) has been discovered.
It is possible for an unauthenticated attacker to inject and store arbitrary JavaScript code into the user's browser by using the vulnerable CGI script. Since the injected code is stored in memory (until the router is rebooted), every user visiting the web portal or user management login page will trigger the stored malicious payload. DrayTek will release new firmwares with security updates for Cross-Site Scripting vulnerability as follows.
| Model | Fixed Firmware Version |
|---|---|
| Vigor3910 | 4.3.2.2 |
| Vigor3220 Series | 3.9.7.4 |
| Vigor2962 Series | 4.3.2.2 |
| Vigor1000B | 4.3.2.2 |
| Vigor2952 / 2952P | 3.9.7.4 |
| Vigor2927 Series | 4.4.2.3 |
| Vigor2927 LTE Series | 4.4.2.3 |
| Vigor2926 Series | 3.9.9.1 |
| Vigor2926 LTE Series | 3.9.9.1 |
| Vigor2925 Series | 3.9.4 |
| Vigor2925 LTE Series | 3.9.4 |
| Vigor2915 Series | 4.4.2.1 |
| Vigor2866 Series | 4.4.1.1 |
| Vigor2866 LTE Series | 4.4.1.1 |
| Vigor2865 Series | 4.4.1.1 |
| Vigor2865 LTE Series | 4.4.1.1 |
| Vigor2862 Series | 3.9.9.1 |
| Vigor2862 LTE Series | 3.9.9.1 |
| Vigor2860 Series | 3.9.4 |
| Vigor2860 LTE Series | 3.9.4 |
| Vigor2832 Series | 3.9.6.3 |
| Vigor2766 Series | 4.4.2.1 |
| Vigor2765 Series | 4.4.2.1 |
| Vigor2763 Series | 4.4.2.2 |
| Vigor2762 Series | 3.9.6.5 |
| Vigor2135 Series | 4.4.2.1 |
| Vigor2133 Series | 3.9.6.5 |
| Vigor166 | 4.2.4.1 |
| Vigor165 | 4.2.4.1 |
| Vigor130 | 3.8.5.1 |
| VigorNIC 132 | 3.8.5.1 |
Any updates or changes in the situation will be posted here.
Update Mailing List (UK/Ireland)
UK/Ireland users should subscribe to our mailing-list in order to receive timely notifications of firmware or critical updates like this and as a general rule of best practice, always keep all of your products firmware up to date and check for updates.
Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.