CVE-2017-18834

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the web-based management interface of several NETGEAR fully managed switch models. Affected devices include M4300-28G, M4300-52G, M4300-28G-POE+, M4300-52G-POE+, M4300-8X8F, M4300-12X12F, M4300-24X24F, M4300-24X, M4300-48X, and M4200 running firmware versions prior to 12.0.2.15 [1]. The vulnerability allows an attacker to inject arbitrary JavaScript code into a reflected response, which is executed in the victim's browser context.

Exploitation

To exploit this vulnerability, an attacker must craft a malicious link containing the XSS payload and convince a user who is authenticated to the device's management interface to click it. No special network position or authentication is required beyond the user's existing session. The XSS is reflected, meaning the payload is not stored on the device but is echoed back in the HTTP response [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the user's browser session. This can lead to information disclosure, such as stealing session cookies or credentials, performing actions on behalf of the user, or defacing the management interface. The CVSS v3 score is 6.1 (Medium) with vector AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L [1].

Mitigation

NETGEAR has released firmware version 12.0.2.15 that fixes the vulnerability for all affected models [1]. Users should immediately download and install the latest firmware from the NETGEAR Support website. No workarounds are provided; updating firmware is the only mitigation.