CVE-2020-11771

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in several NETGEAR router and gateway models. The flaw is present in the firmware's handling of user-supplied input, which is not properly sanitized before being stored and later rendered in the administrative web interface. Affected models and the first patched firmware versions are: D7800 prior to 1.0.1.56, R7500v2 prior to 1.0.3.46, R7800 prior to 1.0.2.68, R8900 prior to 1.0.4.28, R9000 prior to 1.0.4.28, RAX120 prior to 1.0.0.78, XR500 prior to 2.3.2.56, and XR700 prior to 1.0.1.10 [1].

Exploitation

To exploit this vulnerability, an attacker must have authenticated access to the device's web management interface, typically with administrative privileges. The attacker can then inject malicious script code into a field or parameter that is stored by the device. When another administrator (or the same attacker at a later time) views the affected page, the stored script executes in the context of the management interface [1]. No specific user interaction beyond the victim viewing the page is required for the script to execute.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session on the router's administrative interface. This can lead to session hijacking, manipulation of device settings, credential theft, or further attacks against the local network. The impact is limited to the web management interface and does not directly grant code execution on the device itself [1].

Mitigation

NETGEAR has released fixed firmware versions for all affected models, as listed in the vulnerability section. Users should download and install the latest firmware for their specific device from the NETGEAR Support website. If immediate patching is not possible, administrators should restrict access to the web management interface to trusted IP addresses and use strong, unique passwords [1].