CVE-2017-18833

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the web management interface of multiple NETGEAR fully managed switches. Affected models include M4300-28G, M4300-52G, M4300-28G-POE+, M4300-52G-POE+, M4300-8X8F, M4300-12X12F, M4300-24X24F, M4300-24X, M4300-48X, and M4200 running firmware versions prior to 12.0.2.15 [1]. The vulnerability allows an attacker to inject malicious script into a page that is then reflected back to the user.

Exploitation

An attacker can exploit this vulnerability by tricking a logged-in administrator into clicking a crafted link that contains the malicious payload. No authentication is required from the attacker, but user interaction (clicking the link) is necessary [1]. The attack is reflected, meaning the script is executed in the context of the victim's browser session with the switch's management interface.

Impact

Successful exploitation allows the attacker to execute arbitrary web script in the victim's browser, potentially leading to disclosure of sensitive information, session hijacking, or performing administrative actions on behalf of the victim. The CVSS v3 score is 6.1 (Medium) with vector AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L [1]. The impact is limited to the scope of the management interface session.

Mitigation

NETGEAR has released firmware version 12.0.2.15 to fix this vulnerability. Users should download and install the latest firmware from NETGEAR Support for their specific switch model [1]. There is no known workaround; applying the firmware update is the only mitigation.