CVE-2020-35228
Description
A cross-site scripting (XSS) vulnerability in the administration web panel on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices allows remote attackers to inject arbitrary web script or HTML via the language parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XSS in NETGEAR JGS516PE/GS116Ev2 admin panel via language parameter allows arbitrary script injection.
Vulnerability
Cross-site scripting (XSS) vulnerability in the administration web panel of NETGEAR JGS516PE/GS116Ev2 switches running firmware version v2.6.0.43. The vulnerability exists because the language parameter is not properly sanitized before being reflected in the page, allowing injection of arbitrary web script or HTML [1].
Exploitation
An attacker needs network access to the management web interface. No authentication is required as the parameter is processed before login. The attacker sends a crafted request with malicious payload in the language parameter. The payload executes when the page is rendered in the victim's browser [1].
Impact
Successful exploitation allows remote attackers to execute arbitrary JavaScript in the context of the affected web application. This can lead to session hijacking, defacement, or other client-side attacks. The impact is limited to the web interface and does not provide direct device control [1].
Mitigation
NETGEAR has not released a firmware update as of the advisory date (March 2021). Users are advised to restrict network access to the management interface and monitor for future patches. The advisory notes that the device may be end-of-life [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- NETGEAR/JGS516PE/GS116Ev2description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.