CVE-2017-18809

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in NETGEAR ReadyNAS OS 6 devices running firmware versions prior to 6.8.0. The vulnerability allows an attacker to inject malicious scripts that are stored on the device and later executed in the context of the affected application. The issue affects all ReadyNAS OS 6 series models [1].

Exploitation

Exploitation requires an attacker to have high privileges (e.g., administrator access) and relies on user interaction. An authenticated attacker with high privileges can inject malicious script code into input fields that are not properly sanitized. When another user (or the same user) accesses the affected page, the stored script executes. The CVSS vector indicates the attack vector is local, complexity is low, and user interaction is required [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to disclosure of sensitive information, modification of content, or limited access to other application features. The CVSS v3 score is 5.2 (Medium) with impacts to confidentiality, integrity, and availability all rated as low [1].

Mitigation

NETGEAR has released firmware version 6.8.0 which addresses this vulnerability. Users are strongly recommended to download and install the latest firmware from the NETGEAR Support website. No workarounds are documented [1].