ZyWALL 10 firewalls are prone to cross-site scripting attacks via the web management interface of affected devices. An attacker could exploit this issue by enticing a victim user to follow a malicious link to a site hosting the software that contains embedded HTML and script code. The embedded code may be rendered in the web browser of the victim user.
This could potentially be exploited to steal cookie-based authentication credentials from legitimate users. Other attacks are also possible.
ZyXEL's ZyWALL 10 management interface contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user input variables upon submission to the "rpAuth_1" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.