We wanted to make sure you were aware that DrayTek has released firmware updates for various products for a security vulnerability. Please check below for further information on the vulnerability.
Security Advisory: Cross-Site Scripting vulnerability (CVE-2023-23313)
Models Affected: See table below
Priority: Critical
Action Required: Check firmware version on units and upgrade if required
A Cross-Site Scripting vulnerability in the hotspot web portal and user management login page on Draytek Routers (CVE-2023-23313) has been discovered.
It is possible for an unauthenticated attacker to inject and store arbitrary JavaScript code into the user’s browser by using the vulnerable CGI script. Since the injected code is stored in memory (until the router is rebooted), every user visiting the web portal or user management login page will trigger the stored malicious payload. DrayTek will release new firmwares with security updates for Cross-Site Scripting vulnerability as follows.
Please check the latest updates here: https://www.draytek.co.uk/support/security-advisories/kb-advisory-cve-2023-23313
| Model | Fixed Firmware Version |
|---|---|
| Vigor3910 | 4.3.2.2 |
| Vigor3220 Series | 3.9.7.4 |
| Vigor2962 Series | 4.3.2.2 |
| Vigor1000B | 4.3.2.2 |
| Vigor2952 / 2952P | 3.9.7.4 |
| Vigor2927 Series | 4.4.2.3 |
| Vigor2927 LTE Series | 4.4.2.3 |
| Vigor2926 Series | 3.9.9.1 |
| Vigor2926 LTE Series | 3.9.9.1 |
| Vigor2925 Series | 3.9.4 |
| Vigor2925 LTE Series | 3.9.4 |
| Vigor2915 Series | 4.4.2.1 |
| Vigor2866 Series | 4.4.1.1 |
| Vigor2866 LTE Series | 4.4.1.1 |
| Vigor2865 Series | 4.4.1.1 |
| Vigor2865 LTE Series | 4.4.1.1 |
| Vigor2862 Series | 3.9.9.1 |
| Vigor2862 LTE Series | 3.9.9.1 |
| Vigor2860 Series | 3.9.4 |
| Vigor2860 LTE Series | 3.9.4 |
| Vigor2832 Series | 3.9.6.3 |
| Vigor2766 Series | 4.4.2.1 |
| Vigor2765 Series | 4.4.2.1 |
| Vigor2763 Series | 4.4.2.2 |
| Vigor2762 Series | 3.9.6.5 |
| Vigor2135 Series | 4.4.2.1 |
| Vigor2133 Series | 3.9.6.5 |
| Vigor166 | 4.2.4.1 |
| Vigor165 | 4.2.4.1 |
| Vigor130 | 3.8.5.1 |
| VigorNIC 132 | 3.8.5.1 |
The latest firmware can be downloaded from https://www.draytek.co.uk/support/downloads
More from DrayTek at Comms Express: DrayTek Routers & Modems | DrayTek Access Points | DrayTek Switches | DrayTek VOIP | DrayTek Licenses & Warranty Subscription Packs | DrayTek MRB Accessories
If you require any further information on these or any other DrayTek products that we stock, please do not hesitate to contact our team who will be only too happy to help.
