VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 15, 2020· Updated Aug 5, 2024

CVE-2019-20664

CVE-2019-20664

Description

Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in NETGEAR WiFi systems (RBR/RBS/RBK series) allows authenticated users to inject arbitrary script via unspecified input fields.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web interface of certain NETGEAR WiFi system models. The affected devices include RBR20, RBS20, RBK20 (before firmware version 2.3.5.26), and RBR40, RBS40, RBK40, RBR50, RBS50, RBK50 (before firmware version 2.3.5.30). The vulnerability allows an authenticated user to inject arbitrary JavaScript code that is stored on the device and later executed in the context of other users' browsers.

Exploitation

An attacker requires authenticated access to the router's administrative interface. The attacker can then provide malicious input to an unspecified field (likely a configuration parameter) that is not properly sanitized. When an administrator views the affected page, the injected script executes in their browser session.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's admin session. This can lead to session hijacking, unauthorized actions, or theft of sensitive credentials. The attack does not require any user interaction beyond the victim viewing the affected page.

Mitigation

NETGEAR has released fixed firmware versions: 2.3.5.26 for the RBR20, RBS20, RBK20 series, and 2.3.5.30 for the RBR40, RBS40, RBK40, RBR50, RBS50, RBK50 series. Users should update to the latest firmware via the NETGEAR Support website. No workarounds are available [1].

References
  1. Security Advisory for Stored Cross Site Scripting on Some WiFi Systems, PSV-2018-0558

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.