Unrated severityNVD Advisory· Published Dec 29, 2020· Updated Aug 4, 2024

CVE-2020-35807

Description

Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, R7800 before 1.0.2.68, RAX120 before 1.0.0.78, RBK22 before 2.3.5.26, RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK40 before 2.3.5.30, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and WN3000RPv2 before 1.0.0.78.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in multiple NETGEAR routers and Orbi systems allows an authenticated attacker to inject malicious scripts via the web interface.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web-based management interface of multiple NETGEAR devices. Affected products include the D7800 (before firmware 1.0.1.56), R7800 (before 1.0.2.68), RAX120 (before 1.0.0.78), various Orbi models (RBK22, RBR20, RBS20, RBK40, RBR40, RBS40, RBK50, RBR50, RBS50) before versions 2.3.5.26 or 2.3.5.30, and the WN3000RPv2 (before 1.0.0.78) [1]. The vulnerability is triggered when an attacker can store malicious content that is later rendered in a management page, without proper sanitization.

Exploitation

An attacker must have administrative access to the device's web-based management interface to inject the stored XSS payload. The attacker would navigate to a vulnerable configuration page, enter the malicious script into an input field (e.g., device name or other settings), and save the changes. When an administrator or other user subsequently views the affected page, the injected script executes within their browser session in the context of the device's management interface [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the affected NETGEAR device's web interface. This can lead to session hijacking, credential theft, or further actions such as modifying device settings or performing unauthorized administrative actions [1]. The attack is limited to the web-based management interface and does not directly compromise the device's network functions.

Mitigation

NETGEAR has released firmware updates that fix this vulnerability. Users should update their devices to the following fixed versions or later: D7800 (1.0.1.56), R7800 (1.0.2.68), RAX120 (1.0.0.78), RBK22/RBR20/RBS20 (2.3.5.26), RBK40/RBR40/RBS40/RBK50/RBR50/RBS50 (2.3.5.30), and WN3000RPv2 (1.0.0.78) [1]. The updates can be downloaded from the NETGEAR Support website and installed via the device's firmware upgrade process. No workaround other than upgrading to a patched version has been provided. There is no indication that this CVE is listed in the CISA KEV.

References

Security Advisory for Stored Cross Site Scripting on Some Routers and Orbi WiFi Systems, PSV-2018-0557

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

NETGEAR/D7800description
Netgear/D7800llm-fuzzy
Range: <1.0.1.56
Netgear/RAX120llm-fuzzy
Range: <1.0.0.78
Netgear/R7800llm-fuzzy
Range: <1.0.2.68

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

kb.netgear.com/000062730/Security-Advisory-for-Stored-Cross-Site-Scripting-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2018-0557mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000