CVE-2017-18800

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the web interface of NETGEAR R6700v2 and R6800 routers running firmware versions prior to 1.1.0.42 [1]. The flaw allows an attacker to inject arbitrary JavaScript into a page returned by the router, which is then executed in the context of the victim's browser.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing the XSS payload and tricking a logged-in user into clicking it. No authentication is required to trigger the vulnerability, but user interaction is necessary. The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) indicates low attack complexity and a changed scope [1].

Impact

Successful exploitation enables the attacker to execute arbitrary script in the victim's browser, potentially leading to disclosure of sensitive information (e.g., session cookies), unauthorized actions on the router's web interface, or redirection to malicious sites. The CVSS score is 6.1 (Medium) with low impacts on confidentiality, integrity, and availability [1].

Mitigation

NETGEAR has released firmware version 1.1.0.42 for both R6700v2 and R6800 to address this vulnerability [1]. Users are strongly advised to download and install the latest firmware from the NETGEAR support website. No workarounds are provided; updating is the only recommended mitigation.