CVE-2019-20677
Description
Certain NETGEAR devices are affected by stored XSS. This affects RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in NETGEAR Orbi (RBR50, RBS50, RBK50) before 2.3.5.30 allows authenticated high-privilege attackers to inject scripts that execute in other users' sessions.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the web interface of NETGEAR Orbi WiFi system models RBR50, RBS50, and RBK50 running firmware versions prior to 2.3.5.30. The vulnerability allows an authenticated attacker with high privileges to inject malicious scripts that are stored on the device and later executed when other users access the affected page [1].
Exploitation
An attacker must have local network access and administrative privileges to the device's web interface. The attacker can inject a malicious script into a vulnerable input field, which is then stored. When another administrator views the affected page, the script executes automatically without requiring user interaction [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to disclosure of sensitive information (e.g., session tokens) and unauthorized actions on the device with the victim's privileges [1].
Mitigation
NETGEAR released firmware version 2.3.5.30 to address this vulnerability. Users should update their devices to this version or later via the NETGEAR Support website. No workarounds are provided [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- NETGEAR/RBR50description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.