CVE-2020-35826

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web-based management interface of multiple NETGEAR routers and WiFi systems. The affected models include D7800 (before 1.0.1.56), R7500v2 (before 1.0.3.46), R7800 (before 1.0.2.74), R8900 (before 1.0.4.28), R9000 (before 1.0.4.28), RAX120 (before 1.0.0.78), RBK50 (before 2.3.5.30), RBR50 (before 2.3.5.30), RBS50 (before 2.3.5.30), XR500 (before 2.3.2.56), and XR700 (before 1.0.1.10). The vulnerability allows an attacker to inject malicious scripts that are stored on the device and executed when other users access the affected page [1].

Exploitation

An attacker with network access to the device's web-based management interface can exploit this vulnerability by injecting malicious JavaScript into input fields that are not properly sanitized. The injected script is then stored and executed in the context of the admin interface when other authenticated users view the affected page. The exact input vector is not disclosed, but typical stored XSS vectors include configuration parameters, device name fields, or other user-supplied data [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the affected device's web interface. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited to the web interface and does not directly affect the device's routing functions, but it can compromise administrative accounts and enable further attacks [1].

Mitigation

NETGEAR has released firmware updates that fix this vulnerability. Users should update to the following versions or later: D7800 1.0.1.56, R7500v2 1.0.3.46, R7800 1.0.2.74, R8900 1.0.4.28, R9000 1.0.4.28, RAX120 1.0.0.78, RBK50 2.3.5.30, RBR50 2.3.5.30, RBS50 2.3.5.30, XR500 2.3.2.56, and XR700 1.0.1.10. No workarounds are available; updating firmware is the only recommended mitigation [1].