Unrated severityNVD Advisory· Published Apr 24, 2020· Updated Aug 5, 2024

CVE-2017-18700

Description

Certain NETGEAR devices are affected by stored XSS. This affects D6400 before 1.0.0.60, D7000 before 1.0.1.50, D8500 before 1.0.3.29, EX6200 before 1.0.3.84, EX7000 before 1.0.0.60, R6250 before 1.0.4.16, R6300v2 before 1.0.4.18, R6400 before 1.01.32, R6400v2 before 1.0.2.44, R6700 before 1.0.1.36, R6900 before 1.0.1.34, R6900P before 1.3.0.8, R7000 before 1.0.9.14, R7000P before 1.3.0.8, R7100LG before 1.0.0.34, R7300DST before 1.0.0.56, R7900 before 1.0.1.26, R8000 before 1.0.4.4, R8300 before 1.0.2.106, R8500 before 1.0.2.106, R9000 before 1.0.2.52, WNDR3400v3 before 1.0.1.16, WNR3500Lv2 before 1.2.0.46, and WNDR3700v5 before 1.1.0.48.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in many NETGEAR routers, gateways, and extenders allows attackers to inject malicious scripts into the web interface.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web interface of numerous NETGEAR devices, including D6400, D7000, D8500, EX6200, EX7000, R6250, R6300v2, R6400, R6400v2, R6700, R6900, R6900P, R7000, R7000P, R7100LG, R7300DST, R7900, R8000, R8300, R8500, R9000, WNDR3400v3, WNR3500Lv2, and WNDR3700v5. Affected firmware versions are those prior to the specific fixed releases listed in the advisory [1].

Exploitation

An attacker with network access to the device's web interface can submit a crafted request containing a malicious script payload. The script is stored and later executed when an administrator accesses the affected page, leading to stored XSS. No user interaction beyond the administrator's normal browsing is required [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the administrator's browser session. This could lead to session hijacking, credential theft, or further compromise of the device and network, affecting confidentiality and integrity [1].

Mitigation

NETGEAR has released firmware updates to fix this vulnerability. Users should update to the latest firmware for their specific model, as listed in the advisory. No workarounds are available; updating is the only mitigation [1].

References

Security Advisory for Stored Cross-Site Scripting on Some Routers, Gateways, and Extenders, PSV-2017-0342

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

NETGEAR/devicesdescription
Netgear/D7000llm-fuzzy
Range: <1.0.1.50
Netgear/R7000llm-fuzzy
Range: <1.0.9.14
Netgear/D6400llm-fuzzy
Range: <1.0.0.60

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

kb.netgear.com/000053202/Security-Advisory-for-Stored-Cross-Site-Scripting-on-Some-Routers-Gateways-and-Extenders-PSV-2017-0342mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000