CVE-2019-20674

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web management interface of several NETGEAR Orbi WiFi system models. The affected firmware versions are: RBR20, RBS20, and RBK20 before 2.3.5.26; RBR40, RBS40, RBK40, RBR50, RBS50, and RBK50 before 2.3.5.30 [1]. The vulnerability allows an attacker to store malicious script code that is subsequently executed in the context of another user's session when the user accesses the affected page.

Exploitation

An attacker with network access to the device's web interface can exploit the vulnerability by submitting crafted input that is not properly sanitized. The attacker must be able to reach the administrative web interface of the target device. No user interaction beyond the victim accessing the affected page is required for the stored script to execute [1].

Impact

Successful exploitation results in the execution of arbitrary script code within the browser of an authenticated user. This can lead to unauthorized actions being performed on the device, such as modifying configuration, exfiltrating sensitive information, or further compromising the network [1].

Mitigation

NETGEAR has released fixed firmware versions: 2.3.5.26 for the RBR20, RBS20, and RBK20 models; and 2.3.5.30 for the RBR40, RBS40, RBK40, RBR50, RBS50, and RBK50 models. Users are strongly advised to upgrade to the latest firmware as soon as possible [1]. No workarounds are provided.