VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 15, 2020· Updated Aug 5, 2024

CVE-2019-20671

CVE-2019-20671

Description

Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in NETGEAR WiFi systems allows authenticated attackers to inject malicious scripts via the web interface.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web interface of certain NETGEAR WiFi system models. Affected devices include RBR20, RBS20, and RBK20 running firmware versions prior to 2.3.5.26, as well as RBR40, RBS40, RBK40, RBR50, RBS50, and RBK50 running firmware versions prior to 2.3.5.30 [1]. The vulnerability allows an attacker to store malicious script code in fields that are later displayed to administrators.

Exploitation

An attacker must have authenticated access to the web interface of the affected device, typically as an administrator. The attacker can then inject malicious JavaScript code into a vulnerable input field, such as a configuration parameter. When another administrator views the affected page, the injected script executes in their browser session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the web interface. This can lead to session hijacking, defacement, or redirection to malicious sites, potentially compromising the device's administrative functions and exposing sensitive network information [1].

Mitigation

NETGEAR has released fixed firmware versions: for RBR20, RBS20, and RBK20, upgrade to version 2.3.5.26 or later; for RBR40, RBS40, RBK40, RBR50, RBS50, and RBK50, upgrade to version 2.3.5.30 or later. Users should download the latest firmware from NETGEAR Support and apply it immediately [1].

References
  1. Security Advisory for Stored Cross Site Scripting on Some WiFi Systems, PSV-2018-0548

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.