CVE-2020-35812

Vulnerability

Stored cross-site scripting (XSS) vulnerability exists in multiple NETGEAR devices: D7800 (before 1.0.1.56), R7500v2 (before 1.0.3.46), R7800 (before 1.0.2.68), R8900 (before 1.0.4.28), R9000 (before 1.0.4.28), RAX120 (before 1.0.0.78), RBK40/RBR40/RBS40 (before 2.3.5.30), RBK20/RBR20/RBS20 (before 2.3.5.26), RBK50/RBR50/RBS50 (before 2.3.5.30), XR500 (before 2.3.2.56), and XR700 (before 1.0.1.10) [1]. The vulnerability allows a remote attacker to inject arbitrary JavaScript or HTML into the web-based management interface, which is then stored and executed when other users access the interface.

Exploitation

An attacker must be authenticated to the device's web administration panel to exploit the vulnerability, because the stored XSS is injected through settings that require administrative access. The attacker can inject malicious content into fields such as device name or other configurable parameters, which are then stored and rendered on subsequent page loads without proper sanitization [1].

Impact

Successful exploitation enables an authenticated attacker to execute arbitrary JavaScript in the context of other admin users' browsers. This could lead to session hijacking, credential theft, or further attacks against the management interface, potentially compromising the entire network.

Mitigation

NETGEAR has released firmware updates fixing the vulnerability. Users should update to the latest firmware for their respective models as listed in the advisory [1]. If updating is not possible, restrict access to the management interface to trusted users only. No workarounds other than patching are provided.