Direct Request ('Forced Browsing')

CVE-2019-12583

High

9.1/10

Summary

Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-425 - Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

References

Advisory Timeline

Published Jun 27, 2019

Direct Request ('Forced Browsing')

CVE-2019-12583

Summary

CWE-425 - Direct Request ('Forced Browsing')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS