cve/2024/CVE-2024-42061.md

### [CVE-2024-42061](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42061)
![](https://img.shields.io/static/v1?label=Product&message=ATP%20series%20firmware&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=USG%20FLEX%2050(W)%20series%20firmware&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=USG%20FLEX%20series%20firmware&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=USG20(W)-VPN%20series%20firmware&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=versions%20V4.16%20through%20V5.38%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=versions%20V4.32%20through%20V5.38%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=versions%20V4.50%20through%20V5.38%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-79%20Improper%20Neutralization%20of%20Input%20During%20Web%20Page%20Generation%20(XSS%20or%20'Cross-site%20Scripting')&color=brightgreen)

### Description

A reflected cross-site scripting (XSS) vulnerability in the CGI program "dynamic_script.cgi" of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds