Home > About > Security Advisory >

Cross-Site Scripting vulnerability (CVE-2023-23313)

Released Date: 2023-03-02

A Cross-Site Scripting vulnerability in the hotspot web portal and user management login page on Draytek Routers (CVE-2023-23313) has been discovered.

It is possible for an unauthenticated attacker to inject and store arbitrary JavaScript code into the user's browser by using the vulnerable CGI script. Since the injected code is stored permanently, every user visiting the web application will trigger the stored malicious payload. DrayTek will release new firmwares with security updates for Cross-Site Scripting vulnerability as follows.

Affected Products

Model Fixed Firmware Version
Vigor3220 Series
Vigor2962 Series
Vigor2952 / 2952P
Vigor2927 Series
Vigor2927 LTE Series
Vigor2926 Series
Vigor2926 LTE Series
Vigor2925 Series 3.9.4
Vigor2925 LTE Series 3.9.4
Vigor2915 Series
Vigor2866 Series
Vigor2866 LTE Series
Vigor2865 Series
Vigor2865 LTE Series
Vigor2862 Series
Vigor2862B Series
Vigor2862 LTE Series
Vigor2860 Series 3.9.4
Vigor2860 LTE Series 3.9.4
Vigor2832 Series
Vigor2766 Series
Vigor2765 Series
Vigor2763 Series
Vigor2762 Series
Vigor2135 Series
Vigor2133 Series
VigorNIC 132

Recognizing Contribution

We would like to express our appreciation to the Horizon Security’s Offensive Team for their efficient testing and timely reporting.

Contact Technical Support

Should you have any security-related inquiry regarding one of our products, please contact DrayTek Technical Support.