CVE-2017-18810

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in NETGEAR ReadyNAS OS 6 devices running firmware versions prior to 6.8.0 [1]. The vulnerability allows an attacker with high privileges to inject malicious scripts that are stored on the device and executed in the context of other users' sessions.

Exploitation

Exploitation requires an attacker to have high privileges (e.g., administrator access) on the ReadyNAS device. The attacker can inject a malicious script into a vulnerable input field, which is then stored and later executed when another user (such as an administrator) views the affected page. User interaction is required for the script to execute, as indicated by the CVSS vector (UI:R) [1].

Impact

Successful exploitation leads to low confidentiality, integrity, and availability impact, with a scope change meaning the attacker can affect resources beyond the vulnerable component. The attacker may be able to perform actions on behalf of the victim, such as modifying settings or accessing sensitive information, within the context of the victim's session [1].

Mitigation

NETGEAR has released firmware version 6.8.0 to address this vulnerability. Users should update their ReadyNAS OS 6 devices to version 6.8.0 or later. No workarounds are provided. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].