CVE-2019-20714
Description
Certain NETGEAR devices are affected by stored XSS. This affects D3600 before 1.0.0.75, D6000 before 1.0.0.75, D7800 before 1.0.1.44, DM200 before 1.0.0.58, R7500v2 before 1.0.3.40, R7800 before 1.0.2.60, R8900 before 1.0.4.12, R9000 before 1.0.4.12, RBK20 before 2.3.0.22, RBR20 before 2.3.0.22, RBS20 before 2.3.0.22, RBK50 before 2.3.0.22, RBR50 before 2.3.0.22, RBS50 before 2.3.0.22, RBS40 before 2.3.0.22, WN3000RPv2 before 1.0.0.68, WN3000RPv3 before 1.0.2.70, WN3100RPv2 before 1.0.0.60, WNDR4300v2 before 1.0.0.58, WNDR4500v3 before 1.0.0.58, and WNR2000v5 before 1.0.0.68.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NETGEAR routers, gateways, and WiFi systems before specific firmware versions are vulnerable to stored cross-site scripting (XSS), allowing attackers to inject malicious scripts into the web interface.
Vulnerability
Certain NETGEAR devices are affected by stored cross-site scripting (XSS) due to insufficient input sanitization in the web interface. This vulnerability exists in models including D3600 (before 1.0.0.75), D6000 (before 1.0.0.75), D7800 (before 1.0.1.44), DM200 (before 1.0.0.58), R7500v2 (before 1.0.3.40), R7800 (before 1.0.2.60), R8900 (before 1.0.4.12), R9000 (before 1.0.4.12), RBK20 (before 2.3.0.22), RBR20 (before 2.3.0.22), RBS20 (before 2.3.0.22), RBK50 (before 2.3.0.22), RBR50 (before 2.3.0.22), RBS50 (before 2.3.0.22), RBS40 (before 2.3.0.22), WN3000RPv2 (before 1.0.0.68), WN3000RPv3 (before 1.0.2.70), WN3100RPv2 (before 1.0.0.60), WNDR4300v2 (before 1.0.0.58), WNDR4500v3 (before 1.0.0.58), and WNR2000v5 (before 1.0.0.68). The vulnerability allows an attacker with access to the device's web interface to store malicious JavaScript or HTML, which is then executed when other users view the affected pages.
Exploitation
An attacker must have network access to the device's web interface (typically via LAN or Wi-Fi) and be able to submit crafted input to a vulnerable form or field. No authentication is required if the vulnerable endpoint is exposed publicly, but many NETGEAR interfaces require admin credentials. The attacker injects a script payload that gets stored persistently (e.g., in a configuration setting, log entry, or user profile). When an administrator or other user later accesses that stored data via the web UI, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or further attacks.
Impact
Successful stored XSS exploitation can result in disclosure of sensitive information (e.g., admin credentials, session tokens), unauthorized actions performed on behalf of the victim (e.g., changing device settings), or injection of additional malicious code into the device's web interface. The attacker gains a foothold within the browser context of any user who views the compromised page, with privileges potentially up to those of an administrator if the victim is an admin.
Mitigation
NETGEAR has released firmware updates to fix this vulnerability. Affected users should download and install the latest firmware version for their specific device model from NETGEAR Support [1]. The fixed versions are: D3600 1.0.0.75, D6000 1.0.0.75, D7800 1.0.1.44, DM200 1.0.0.58, R7500v2 1.0.3.40, R7800 1.0.2.60, R8900 1.0.4.12, R9000 1.0.4.12, RBK20/RBR20/RBS20 2.3.0.22, RBK50/RBR50/RBS50 2.3.0.22, RBS40 2.3.0.22, WN3000RPv2 1.0.0.68, WN3000RPv3 1.0.2.70, WN3100RPv2 1.0.0.60, WNDR4300v2 1.0.0.58, WNDR4500v3 1.0.0.58, WNR2000v5 1.0.0.68. No workarounds are disclosed; users must update firmware to mitigate the vulnerability.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- NETGEAR/devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.