CVE-2018-21209

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the web interfaces of certain NETGEAR devices. An attacker can inject arbitrary HTML and script code via a crafted URL that is reflected back to the user. Affected models include JNR1010v2 before 1.1.0.46, JR6150 before 1.0.1.10, JWNR2010v5 before 1.1.0.46, PR2000 before 1.0.0.20, R6050 before 1.0.1.10, R6220 before 1.1.0.60, WNDR3700v5 before 1.1.0.50, WNR1000v4 before 1.1.0.46, WNR2020 before 1.1.0.46, and WNR2050 before 1.1.0.46 [1].

Exploitation

According to the CVSS vector (CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N), the attack requires adjacent network access and high privileges, but no user interaction. However, typical reflected XSS attacks rely on tricking an authenticated user into clicking a crafted link. The attacker can deliver the malicious link via email or other means, and if the user is authenticated to the device, the injected script may execute in the context of the user's session [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to disclosure of sensitive information (e.g., session cookies) or unauthorized actions within the device's web interface. The CVSS scope change indicates the impact may extend beyond the vulnerable component [1].

Mitigation

NETGEAR has released firmware updates to fix this vulnerability. The fixed versions are: JNR1010v2 1.1.0.46, JR6150 1.0.1.10, JWNR2010v5 1.1.0.46, PR2000 1.0.0.20, R6050 1.0.1.10, R6220 1.1.0.60, WNDR3700v5 1.1.0.50, WNR1000v4 1.1.0.46, WNR2020 1.1.0.46, and WNR2050 1.1.0.46. Users should update to the latest firmware via the NETGEAR Support website [1].