CVE-2019-20672

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web interface of NETGEAR RBR50, RBS50, and RBK50 devices running firmware versions prior to 2.3.5.30 [1]. An authenticated user with administrative privileges can inject arbitrary JavaScript code that is stored on the device and later executed in the browser of other admin users when they access certain pages.

Exploitation

An attacker must have valid admin credentials to the affected device's web interface. Once authenticated, the attacker can inject malicious script code into a configuration field that is not properly sanitized. This stored payload is then served to any other admin user who views the affected page, triggering the XSS in their browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of an admin user's session, leading to potential information disclosure (confidentiality) and unauthorized modification of settings (integrity) [1]. The CVSS v3 vector indicates high impact on confidentiality and integrity, with a base score of 6.0 (Medium).

Mitigation

NETGEAR has released firmware version 2.3.5.30 to address this vulnerability. Users should immediately upgrade their devices to this version or later by downloading the firmware from NETGEAR Support and following the installation instructions [1].