Unrated severityNVD Advisory· Published Apr 15, 2020· Updated Aug 5, 2024

CVE-2019-20660

Description

Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in NETGEAR Orbi WiFi systems allows persistent script injection via unauthenticated input before firmware versions 2.3.5.26 or 2.3.5.30.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in certain NETGEAR Orbi WiFi system models, including RBR20, RBS20, RBK20 (before firmware version 2.3.5.26) and RBR40, RBS40, RBK40, RBR50, RBS50, RBK50 (before firmware version 2.3.5.30). The vulnerability allows an attacker to inject malicious scripts that are stored on the device, which are later executed in the context of the administrative web interface [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted input to the affected device without requiring authentication. The injected script is stored and subsequently executed when an administrator accesses the web management interface, leading to persistent script execution [1].

Impact

Successful exploitation could allow an attacker to execute arbitrary JavaScript in the context of the administrator's browser session, potentially leading to session hijacking, defacement, or theft of sensitive information. The impact is limited to the web interface and does not imply remote code execution on the device [1].

Mitigation

NETGEAR has released firmware updates to address this vulnerability: version 2.3.5.26 for RBR20, RBS20, RBK20; and version 2.3.5.30 for RBR40, RBS40, RBK40, RBR50, RBS50, RBK50. Users should update to the latest firmware via the NETGEAR Support website [1]. No workarounds are mentioned.

References

Security Advisory for Stored Cross Site Scripting on Some WiFi Systems, PSV-2018-0562

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

NETGEAR/devicesdescription
Netgear/RBR50llm-fuzzy
Range: <2.3.5.30
Netgear/RBR20llm-fuzzy
Range: <2.3.5.26
Netgear/RBS20llm-fuzzy
Range: <2.3.5.26

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

kb.netgear.com/000061479/Security-Advisory-for-Stored-Cross-Site-Scripting-on-Some-WiFi-Systems-PSV-2018-0562mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000