CVE-2019-20670

Vulnerability

Stored cross-site scripting (XSS) vulnerability affects NETGEAR Orbi WiFi system models RBR50, RBS50, and RBK50 running firmware versions prior to 2.3.5.30 [1]. The vulnerability is due to insufficient sanitization of user-controlled data that is later rendered in the web interface, allowing injection of arbitrary script code that persists across sessions [1].

Exploitation

To exploit this vulnerability, an attacker must have administrative access to the device's web interface via the local network [1]. Successful exploitation requires the attacker to inject a malicious script into a stored configuration field that is subsequently displayed to other administrators or users accessing the management interface [1]. No user interaction beyond normal administrative actions is required for the stored payload to execute.

Impact

An authenticated attacker who successfully exploits this vulnerability can execute arbitrary script code in the context of the affected web interface, potentially leading to session hijacking, credential theft, or manipulation of device settings [1]. The CVSS v3.0 score is 6.0 (Medium) with a vector of CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, indicating high impact on confidentiality and integrity, but no impact on availability [1].

Mitigation

NETGEAR has released fixed firmware version 2.3.5.30 for all affected models (RBR50, RBS50, RBK50) [1]. Users are strongly recommended to download and install the latest firmware from NETGEAR Support as soon as possible [1]. No known workarounds exist; applying the firmware update is the only remediation [1].