CVE-2018-21095

Vulnerability

NETGEAR SRR60 and SRS60 devices running firmware versions prior to 2.2.1.210 are affected by a stored cross-site scripting (XSS) vulnerability [1]. The vulnerability resides in the web interface and can be triggered when an authenticated user with high privileges inputs malicious script that is stored and later executed in the context of other users' sessions.

Exploitation

An attacker must have high privileges (e.g., administrator) on the device to inject the malicious script via the web interface. The stored script is then executed when other users (including those with lower privileges) access the affected page, requiring user interaction (viewing the page) [1]. The attack vector is adjacent network (CVSS:3.0/AV:A) meaning the attacker must be on the same local network as the device.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to disclosure of sensitive information (e.g., session tokens) or limited modification of web content (CVSS Confidentiality and Integrity Low) [1]. The scope is changed (S:C) meaning the impact extends beyond the vulnerable component.

Mitigation

NETGEAR has released firmware version 2.2.1.210 for both SRR60 and SRS60 to fix this vulnerability [1]. Users should update to the latest firmware as soon as possible. No workarounds are mentioned. The device is not listed on CISA's Known Exploited Vulnerabilities catalog.