CVE-2019-20666

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in certain NETGEAR WiFi system models. Affected devices are the RBR50 (router), RBS50 (satellite), and RBK50 (Orbi kit) running firmware versions prior to 2.3.5.30 [1]. The vulnerability allows an attacker to inject malicious script code that is stored persistently on the device and later executed in the context of an administrator's browser session [1].

Exploitation

Exploitation requires an attacker to have administrative access to the affected device (privileged access) [1]. With that access, the attacker can inject a crafted payload into fields that are not properly sanitized. When the administrator later views stored content, the script executes in the browser, potentially leading to further compromise [1].

Impact

Successful exploitation of this stored XSS can lead to disclosure of sensitive information (such as session tokens or credentials) and the ability to perform administrative actions on behalf of the victim. The CVSS v3.0 score of 6.0 (Medium) with vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N indicates high impact to confidentiality and integrity, although availability is not affected [1].

Mitigation

NETGEAR released firmware version 2.3.5.30 to address the issue for the RBR50, RBS50, and RBK50 products [1]. Users should download and install the latest firmware from NETGEAR Support as soon as possible. No workaround is available, and upgrading to the fixed firmware is required to remediate the vulnerability [1].