CVE-2020-35828
Description
Certain NETGEAR devices are affected by stored XSS. This affects D7800 before 1.0.1.56, RBK20 before 2.3.5.26, RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK40 before 2.3.5.30, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, R7800 before 1.0.2.74, R8900 before 1.0.4.28, R9000 before 1.0.4.28, XR500 before 2.3.2.56, XR700 before 1.0.1.10, RAX120 before 1.0.0.78, and R7500v2 before 1.0.3.46.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple NETGEAR router and WiFi system models are vulnerable to stored cross-site scripting (XSS) via unvalidated input, allowing arbitrary script execution in the admin interface.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the web management interface of multiple NETGEAR routers and WiFi systems. The flaw allows an authenticated attacker to inject malicious scripts into pages that are later served to other administrators. Affected firmware versions are: D7800 before 1.0.1.56, RBK20 before 2.3.5.26, RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK40 before 2.3.5.30, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK50 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, R7800 before 1.0.2.74, R8900 before 1.0.4.28, R9000 before 1.0.4.28, XR500 before 2.3.2.56, XR700 before 1.0.1.10, RAX120 before 1.0.0.78, and R7500v2 before 1.0.3.46 [1].
Exploitation
To exploit this vulnerability, an attacker must be authenticated to the router's web interface. The attacker can then craft input containing JavaScript code. The input is stored by the device without proper sanitization. When other administrators access the affected management page, the stored script executes within their browser session. No network-level access beyond the local management interface is required [1].
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript code in the context of the router's administrative web interface. This can lead to session hijacking, theft of authentication cookies, unauthorized configuration changes, or further compromise of the administrative session. The confidentiality and integrity of the management interface are at risk [1].
Mitigation
NETGEAR has released fixed firmware versions for all affected products. The security advisory recommends updating to the latest firmware immediately. For each model, the fixed version is: D7800 firmware 1.0.1.56, RBK20/30/40/50 series firmware 2.3.5.26 or 2.3.5.30 as appropriate, R7800 firmware 1.0.2.74, R8900/R9000 firmware 1.0.4.28, XR500 firmware 2.3.2.56, XR700 firmware 1.0.1.10, RAX120 firmware 1.0.0.78, and R7500v2 firmware 1.0.3.46 [1]. No workaround is provided; upgrading the firmware is the required mitigation.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- NETGEAR/devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.