CVE-2020-35822

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web interface of several NETGEAR routers and WiFi systems. The flaw allows an attacker to inject arbitrary JavaScript code that is stored on the device and later executed when an administrator or user views the affected page. Affected models and firmware versions include: D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.74, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, XR500 before 2.3.2.56, and XR700 before 1.0.1.10 [1].

Exploitation

An attacker with network access to the device's web interface can inject a malicious script into a stored field (e.g., a configuration parameter). When an authenticated user, such as an administrator, navigates to the page that renders the stored input, the injected script executes in the context of the user's session. The advisory does not specify whether authentication is required for the injection step, but the stored XSS nature implies that the attacker must have the ability to submit data to the vulnerable endpoint [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the web interface. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited to the web interface and does not directly affect the underlying router firmware or network traffic [1].

Mitigation

NETGEAR has released firmware updates that fix the vulnerability. Users should update to the following versions or later: D7800 to 1.0.1.56, R7500v2 to 1.0.3.46, R7800 to 1.0.2.74, R8900 to 1.0.4.28, R9000 to 1.0.4.28, RAX120 to 1.0.0.78, XR500 to 2.3.2.56, and XR700 to 1.0.1.10. No workarounds are provided; updating firmware is the only recommended mitigation [1].