VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 20, 2020· Updated Aug 5, 2024

CVE-2017-18835

CVE-2017-18835

Description

Certain NETGEAR devices are affected by reflected XSS. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in NETGEAR M4300 and M4200 switches before firmware 12.0.2.15 allows attackers to execute arbitrary script via crafted input.

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the web interface of various NETGEAR fully managed switches, including M4300-28G, M4300-52G, M4300-28G-POE+, M4300-52G-POE+, M4300-8X8F, M4300-12X12F, M4300-24X24F, M4300-24X, M4300-48X, and M4200, running firmware versions prior to 12.0.2.15 [1]. The vulnerability allows an attacker to inject malicious script into a web page that is reflected back to the user.

Exploitation

The attacker can exploit this vulnerability by sending a crafted URL to a logged-in user and convincing them to click on it. The attacker does not require authentication or network access beyond the ability to deliver the malicious link. User interaction is necessary for the attack to succeed.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the user's browser, potentially leading to disclosure of sensitive information, session hijacking, or other malicious actions. The CVSS v3 score is 6.1 (Medium) with a vector of AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.

Mitigation

NETGEAR has released firmware version 12.0.2.15 to address this vulnerability. Users should upgrade to this version or later as soon as possible. The fixed firmware is available for download from NETGEAR Support [1]. There is no known workaround.

References
  1. Security Advisory for Reflected Cross Site Scripting on Some Fully Managed Switches, PSV-2017-1957

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.