CVE-2019-20678

Vulnerability

The devices are affected by a stored cross-site scripting (XSS) vulnerability in the web management interface. This affects the following Orbi models and firmware versions: RBK20, RBR20, RBS20 before firmware 2.3.5.26; and RBK40, RBR40, RBS40, RBK50, RBR50, RBS50 before firmware 2.3.5.30 [1]. The vulnerability exists in the firmware's handling of user-supplied input that is later rendered in the administrative interface.

Exploitation

An attacker must have an authenticated session on the target device's web interface or trick an authenticated administrator into performing actions that inject malicious script. The attacker supplies crafted input that, when stored and subsequently viewed by another administrator, executes arbitrary JavaScript in the context of the management interface.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript within the context of the victim's browser session. This could lead to session hijacking, defacement of the management interface, or redirection to malicious sites. The attacker does not gain direct control over the router itself but can perform actions the victim administrator is authorized to do.

Mitigation

NETGEAR released fixed firmware versions 2.3.5.26 for the RBK20, RBR20, RBS20 models and version 2.3.5.30 for the RBK40, RBR40, RBS40, RBK50, RBR50, RBS50 models. Users should update to the latest firmware via the NETGEAR Support page [1]. No workaround is available; upgrading is the only mitigation.