CVE-2020-35827

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web interface of several NETGEAR routers and WiFi systems. Affected models include D7800 (before 1.0.1.56), RBK50/RBR50/RBS50 (before 2.3.5.30), R7800 (before 1.0.2.74), R8900/R9000 (before 1.0.4.28), XR500 (before 2.3.2.56), XR700 (before 1.0.1.10), and RAX120 (before 1.0.0.78). The vulnerability allows an attacker to store malicious JavaScript in a field that is later rendered when an administrator accesses the affected page.

Exploitation

An authenticated attacker with access to the device's web interface can inject a malicious script into a vulnerable input field. This script is stored on the device and executed in the browser of any administrator who views the affected page, typically without requiring additional user interaction beyond navigating to the page.

Impact

Successful exploitation of this stored XSS vulnerability could allow an attacker to execute arbitrary JavaScript in the context of the administrator's session. This may lead to session hijacking, unauthorized actions, defacement of the web interface, or theft of sensitive information displayed on the page.

Mitigation

NETGEAR has released firmware updates that fix this vulnerability for all affected models [1]. Users should upgrade to the following or later versions: D7800 (1.0.1.56), RBK50/RBR50/RBS50 (2.3.5.30), R7800 (1.0.2.74), R8900/R9000 (1.0.4.28), XR500 (2.3.2.56), XR700 (1.0.1.10), and RAX120 (1.0.0.78). No workarounds are provided; upgrading the firmware is the recommended mitigation.