Security Advisory: XSS WUI Issue (March 2019)



Security Advisory: XSS WUI Issue

TL;DR - Update your Vigor 3900/2960 firmware to version 1.4.3 in order to improve XSS Web UI Protection.

In March 2019, we became aware of a possible exploit of the Vigor 2960/3900.  It was identified during testing and reported to us*. It is somewhat limited in scope and likelyhood and requires some fairly specific factors, however as it is still possible, we have corrected the code and issued this advisory.  The exploit does not allow access to router settings, Internet traffic or your LAN.  The only advice necessary is to upgrade your firmware to version 1.4.3 - and always keep it up to date.

In order to protect users, no other information about the issue is being provided at present.

This issue is for Vigor 2960/3900 only and no other DrayTek products.

Firmware downloads are available from here (For UK/IE Region only).

Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.

Please note that mail alerts on this issue will come from our domain "drayteknews.co.uk" not our web domain (draytek.co.uk).  Both of the domains are legitimate and belong to us (DrayTek) but in line with anti-phishing measures, you're quite right to check.

*Credit to Compass Security for their testing/reporting.