Overview :
On DrayTek Vigor2925 devices with firmware 3.8.4.3, Incorrect Access Control exists in loginset.htm, and can be used to trigger XSS. NOTE: this is an end-of-life product.

On DrayTek Vigor2925 devices with firmware 3.8.4.3, XSS exists via a crafted WAN name on the General Setup screen. NOTE: this is an end-of-life product.

Affected Product(s) :
  • DrayTek Vigor2925 devices with firmware 3.8.4.3
Vulnerability Details :
CVE ID :CVE-2019-16533
Incorrect Access Control exists in loginset.htm
CVE ID :CVE-2019-16534
XSS exists via a crafted WAN name on the General Setup screen

Solution : update to the latest version