CVE-2019-20639
Description
Certain NETGEAR devices are affected by stored XSS. This affects RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NETGEAR RBR50, RBS50, and RBK50 WiFi systems are vulnerable to stored XSS before firmware 2.3.5.30.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in certain NETGEAR WiFi system products: RBR50, RBS50, and RBK50 running firmware versions prior to 2.3.5.30. The vulnerability allows an attacker with administrative access to inject malicious script code that is stored on the device and executed in the context of other users' browser sessions [1].
Exploitation
An attacker must have authenticated administrative access to the device's web interface. The attacker can then inject a malicious script into one of the input fields that does not properly sanitize user input. When other users access the affected interface, the stored script executes in their browser [1].
Impact
Successful exploitation can lead to information disclosure (e.g., stealing session cookies) and unauthorized modification of device settings, compromising both confidentiality and integrity of the system. The attack is limited to the web interface and does not affect the underlying router functionality [1].
Mitigation
NETGEAR has released firmware version 2.3.5.30 to fix this vulnerability. Users should update their devices to this version or later. No workarounds are available. The devices are still supported by NETGEAR [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- NETGEAR/devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.