CVE-2017-18814
Description
NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6.8.0 are affected by stored XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NETGEAR ReadyNAS OS 6 devices prior to 6.8.0 are affected by a stored cross-site scripting (XSS) vulnerability.
Vulnerability
A stored cross-site scripting vulnerability exists in NETGEAR ReadyNAS OS 6 devices running firmware versions prior to 6.8.0 [1]. The flaw allows an attacker with administrative privileges to inject arbitrary JavaScript or HTML into the device's web interface, which is then persistently stored and executed in the context of other administrators' sessions.
Exploitation
An attacker must have administrative access to the ReadyNAS web interface [1]. The attacker can then inject malicious script via a vulnerable input field. When another administrator accesses the affected page, the script executes without requiring user interaction beyond normal navigation within the admin interface.
Impact
Successful exploitation leads to cross-site scripting, which can result in disclosure of session tokens, unauthorized actions performed in the context of the victim administrator's session, and potential further compromise of the device or network [1]. The CVSS v3 score is 5.2 (Medium) with the vector AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L [1].
Mitigation
NETGEAR has released ReadyNAS OS version 6.8.0 to fix this vulnerability [1]. Users should update their firmware to the latest version via the NETGEAR Support website. No workarounds are documented. The vulnerability remains exploitable if the firmware is not updated [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- NETGEAR/ReadyNAS OSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.