CVE-2017-18839

Vulnerability

This is a stored cross-site scripting (XSS) vulnerability affecting multiple NETGEAR fully managed switch models: M4300-28G, M4300-52G, M4300-28G-POE+, M4300-52G-POE+, M4300-8X8F, M4300-12X12F, M4300-24X24F, M4300-24X, M4300-48X, and M4200. All firmware versions prior to 12.0.2.15 are vulnerable [1]. The flaw resides in the web management interface, where an authenticated user with sufficient privileges can inject persistent malicious scripts into device configuration pages.

Exploitation

An attacker must have administrative access to the switch's web interface (high privileges) and convince another authenticated user (e.g., via social engineering) to interact with a page containing the injected script. The CVSS vector indicates local access, high privileges, and user interaction are required [1]. The attacker would store the XSS payload in a configuration field that is later rendered to another administrator.

Impact

Successful exploitation leads to stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This could result in session hijacking, unauthorized actions on the device, or theft of sensitive information (confidentiality, integrity, and availability are each partially affected) [1]. The CVSS v3 score is 5.2 (Medium).

Mitigation

NETGEAR released firmware version 12.0.2.15 to fix this vulnerability for all affected models [1]. Users should update immediately via NETGEAR Support. No workarounds are documented; if a patch cannot be applied, access to the management interface should be restricted to trusted networks.