CVE-2024-42061: 
NixOS vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability (CVE-2024-42061) was discovered in the CGI program 'dynamic_script.cgi' of multiple Zyxel firewall series. The affected products include ATP series firmware (V4.32-V5.38), USG FLEX series firmware (V4.50-V5.38), USG FLEX 50(W) series firmware (V4.16-V5.38), and USG20(W)-VPN series firmware (V4.16-V5.38). The vulnerability was disclosed on September 2, 2024, and received a CVSS v3.1 base score of 6.1 (Medium) (NVD, Zyxel Advisory).

The vulnerability exists in the CGI program 'dynamic_script.cgi' and is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue allows an attacker to execute malicious scripts by tricking users into visiting a crafted URL containing an XSS payload. The vulnerability has been assigned a CVSS v3.1 base score of 6.1, with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

If successfully exploited, the vulnerability could allow attackers to obtain browser-based information if the malicious script is executed on the victim's browser. The attack requires user interaction, specifically requiring the target to visit a malicious page or open a malicious file (Hacker News, Zyxel Advisory).

Zyxel has released patches to address this vulnerability in firmware version ZLD V5.39. Users of affected devices are strongly advised to upgrade their firmware to the latest version. The patch is available for all affected product lines including ATP series, USG FLEX series, USG FLEX 50(W), and USG20(W)-VPN series (Zyxel Advisory).

The vulnerability was discovered and reported by nella17 from DEVCORE, demonstrating the active involvement of security researchers in identifying and responsibly disclosing security issues (Zyxel Advisory).