CVE-2023-23313

Name: CVE-2023-23313
Creator: NVD / NIST
Published: 2023-03-03T22:15:09.69+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.1/10EPSS 0.36%

Last modified Jun 17, 2026

CVE-2023-23313 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router's web application management portal. This affects Vigor3910, Vigor1000B, Vigor2962 v4.3.2.1; Vigor2865 and Vigor2866 v4.4.1.0; Vigor2927 v4.4.2.2; and Vigor2915, Vigor2765, Vigor2766, Vigor2135 v4.4.2.0; Vigor2763 v4.4.2.1; Vigor2862 and Vigor2926 v3.9.9.0; Vigor2925 v3.9.3; Vigor2952 and Vigor3220 v3.9.7.3; Vigor2133 and Vigor2762 v3.9.6.4; and Vigor2832 v3.9.6.2.. EPSS estimates a 0.36% chance of exploitation in the next 30 days.

Description

Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router's web application management portal. This affects Vigor3910, Vigor1000B, Vigor2962 v4.3.2.1; Vigor2865 and Vigor2866 v4.4.1.0; Vigor2927 v4.4.2.2; and Vigor2915, Vigor2765, Vigor2766, Vigor2135 v4.4.2.0; Vigor2763 v4.4.2.1; Vigor2862 and Vigor2926 v3.9.9.0; Vigor2925 v3.9.3; Vigor2952 and Vigor3220 v3.9.7.3; Vigor2133 and Vigor2762 v3.9.6.4; and Vigor2832 v3.9.6.2.

Metrics

CVSS 3.1

6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

0.36%

27.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Draytek	Vigor2860 Firmware	< 3.9.4
Draytek	Vigor2860n Firmware	< 3.9.4
Draytek	Vigor2860n-Plus Firmware	< 3.9.4
Draytek	Vigor2860vn-Plus Firmware	< 3.9.4
Draytek	Vigor2860ac Firmware	< 3.9.4
Draytek	Vigor2860vac Firmware	< 3.9.4
Draytek	Vigor2860l Firmware	< 3.9.4
Draytek	Vigor2860ln Firmware	< 3.9.4
Draytek	Vigor2832 Firmware	< 3.9.6.3
Draytek	Vigor2832n Firmware	< 3.9.6.3
Draytek	Vigor2766 Firmware	< 4.4.2.1
Draytek	Vigor2766ax Firmware	< 4.4.2.1
Draytek	Vigor2766ac Firmware	< 4.4.2.1
Draytek	Vigor2766vac Firmware	< 4.4.2.1
Draytek	Vigor2765 Firmware	< 4.4.2.1
Draytek	Vigor2765ax Firmware	< 4.4.2.1
Draytek	Vigor2765ac Firmware	< 4.4.2.1
Draytek	Vigor2765va Firmware	< 4.4.2.1
Draytek	Vigor2763 Firmware	< 4.4.2.2
Draytek	Vigor2763ac Firmware	< 4.4.2.2
Draytek	Vigor2762 Firmware	< 3.9.6.5
Draytek	Vigor2762n Firmware	< 3.9.6.5
Draytek	Vigor2762ac Firmware	< 3.9.6.5
Draytek	Vigor2762vac Firmware	< 3.9.6.5
Draytek	Vigor2135 Firmware	< 4.4.2.1
Draytek	Vigor2135ax Firmware	< 4.4.2.1
Draytek	Vigor2135ac Firmware	< 4.4.2.1
Draytek	Vigor2135vac Firmware	< 4.4.2.1
Draytek	Vigor2135fvac Firmware	< 4.4.2.1
Draytek	Vigor2133 Firmware	< 3.9.6.5
Draytek	Vigor2133n Firmware	< 3.9.6.5
Draytek	Vigor2133ac Firmware	< 3.9.6.5
Draytek	Vigor2133vac Firmware	< 3.9.6.5
Draytek	Vigor2133fvac Firmware	< 3.9.6.5
Draytek	Vigor166 Firmware	< 4.2.4.1
Draytek	Vigor165 Firmware	< 4.2.4.1
Draytek	Vigor130 Firmware	< 3.8.5.1
Draytek	Vigornic 132 Firmware	< 3.8.5.1
Draytek	Vigor3910 Firmware	< 4.3.2.2
Draytek	Vigor3220 Firmware	< 3.9.7.4
Draytek	Vigor2962 Firmware	< 4.3.2.2
Draytek	Vigor2962p Firmware	< 4.3.2.2
Draytek	Vigor1000b Firmware	< 4.3.2.2
Draytek	Vigor2952 Firmware	< 3.9.7.4
Draytek	Vigor2952p Firmware	< 3.9.7.4
Draytek	Vigor2927 Firmware	< 4.4.2.3
Draytek	Vigor2927ax Firmware	< 4.4.2.3
Draytek	Vigor2927ac Firmware	< 4.4.2.3
Draytek	Vigor2927vac Firmware	< 4.4.2.3
Draytek	Vigor2927f Firmware	< 4.4.2.3

Showing 50 of 91 affected configurations. See NVD for the full list.

References

https://www.draytek.com/about/security-advisory/cross-site-scripting-vulnerability-%28cve-2023-23313%29/Vendor Advisory
https://www.horizonconsulting.com/advisories23-Multiple-XSS-Stored-in-DrayTek-routers-CVE-2023-23313Third Party Advisory
https://www.draytek.com/about/security-advisory/cross-site-scripting-vulnerability-%28cve-2023-23313%29/Vendor Advisory
https://www.horizonconsulting.com/advisories23-Multiple-XSS-Stored-in-DrayTek-routers-CVE-2023-23313Third Party Advisory

Timeline

Published: Mar 3, 2023
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2023-23313?

How severe is CVE-2023-23313?

CVE-2023-23313 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 0.36% probability of exploitation in the next 30 days.

How do I fix CVE-2023-23313?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-23313?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST