CVE-2019-20663

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in certain NETGEAR WiFi system products. The affected models are RBR50, RBS50, and RBK50 running firmware versions prior to 2.3.5.30 [1]. The issue allows an authenticated user with administrative privileges to store malicious scripts that will be executed in the context of the affected application when other users access the compromised pages.

Exploitation

Exploitation requires an attacker to have authenticated administrative access to the device's web management interface [1]. The attacker can then inject arbitrary HTML or JavaScript code into a vulnerable input field, which gets stored and later served to other administrators or users visiting the affected section of the device's web UI.

Impact

Successful exploitation leads to stored cross-site scripting [1]. This can allow the attacker to perform actions on behalf of other administrators, modify device settings, or exfiltrate sensitive session information. The CVSS v3.0 score of 6.0 (Medium) with vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N indicates high confidentiality and integrity impact with no availability impact [1].

Mitigation

NETGEAR has released firmware version 2.3.5.30 for all three affected models (RBR50, RBS50, RBK50) to fix this vulnerability [1]. Users are strongly advised to download and install the latest firmware from NETGEAR Support as soon as possible. No workarounds have been provided if the fix cannot be applied.