CVE-2019-20662

Vulnerability

Stored cross-site scripting (XSS) vulnerability exists in the web interface of NETGEAR RBR50, RBS50, and RBK50 WiFi system devices running firmware versions prior to 2.3.5.30 [1]. The vulnerability allows an authenticated attacker with administrative privileges to inject malicious scripts that are stored on the device and executed in the context of other users accessing the management interface.

Exploitation

An attacker with administrative access to the device's web management interface can craft a payload and submit it via input fields that are not properly sanitized [1]. The script is then stored and executed when other authenticated users view the affected page. No user interaction is required beyond the initial injection step.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to disclosure of sensitive information (e.g., session cookies, configuration data) and modification of device settings [1]. The CVSS v3 score is 6.0 (Medium) with high impacts on confidentiality and integrity, but no impact on availability.

Mitigation

NETGEAR released firmware version 2.3.5.30 to address this vulnerability. Users should update their devices to this version or later [1]. No workarounds are provided; installing the latest firmware is the recommended mitigation.