CVE-2019-20661

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in certain NETGEAR WiFi systems: RBR50, RBS50, and RBK50 running firmware versions prior to 2.3.5.30 [1]. The vulnerability is present in the web-based management interface, allowing an authenticated user to inject malicious scripts that are stored and later executed in the context of other users' sessions [1].

Exploitation

An attacker with authenticated access (e.g., admin or user credentials) can inject a crafted payload into a vulnerable input field of the web interface. The payload persists on the device and is executed when other users access the affected page [1]. No user interaction beyond normal browsing is required for the stored script to execute.

Impact

Successful exploitation leads to stored XSS, which can result in disclosure of sensitive information or unauthorized actions performed on behalf of the victim. The CVSS v3 vector indicates a local attack vector, high privileges required, no user interaction, and potential for high confidentiality and integrity impact [1].

Mitigation

NETGEAR has released firmware version 2.3.5.30 to fix the vulnerability for RBR50, RBS50, and RBK50 [1]. Users should update to the latest firmware via the NETGEAR Support page [1]. No workaround other than updating is mentioned.