CVE-2019-20669

Vulnerability

Stored cross-site scripting (XSS) vulnerability exists in the web interface of multiple NETGEAR Orbi WiFi system models. Affected devices include RBR20, RBS20, RBK20 before firmware version 2.3.5.26, and RBR40, RBS40, RBK40, RBR50, RBS50, RBK50 before firmware version 2.3.5.30 [1]. The vulnerability allows an attacker to store malicious scripts that execute when other users access the interface.

Exploitation

An attacker must have network access to the device's web interface and the ability to submit input that is not properly sanitized. The exact attack vector is not detailed in the advisory, but stored XSS typically involves injecting script code into fields that are later displayed to other users, such as configuration settings or status pages. No authentication is specified as required, but the attacker likely needs to be on the local network.

Impact

Successful exploitation results in execution of arbitrary JavaScript in the context of the affected device's web interface. This can lead to session hijacking, unauthorized actions, or disclosure of sensitive information. The scope is limited to the web interface; however, the attacker could potentially use the XSS to pivot to other attacks.

Mitigation

NETGEAR has released fixed firmware versions: 2.3.5.26 for RBR20, RBS20, RBK20, and 2.3.5.30 for RBR40, RBS40, RBK40, RBR50, RBS50, RBK50 [1]. Users should update to the latest firmware via NETGEAR Support. No workarounds are provided. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.