CVE-2020-35836

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web-based management interface of multiple NETGEAR router models. The flaw allows an authenticated attacker to inject arbitrary JavaScript or HTML into stored fields, which is later executed in the browser of other users accessing the same interface. Affected models include D7800 (before 1.0.1.56), R7500v2 (before 1.0.3.46), R7800 (before 1.0.2.74), R8900 (before 1.0.4.28), R9000 (before 1.0.4.28), XR500 (before 2.3.2.56), XR700 (before 1.0.1.10), and RAX120 (before 1.0.0.78) [1].

Exploitation

An attacker must first authenticate to the router's web interface with valid credentials. Once logged in, the attacker can craft a malicious payload and submit it via a vulnerable input field (e.g., device name, SSID, or other configuration parameters). The payload is stored on the device and subsequently rendered without proper sanitization when an administrator or other user views the affected page. No additional user interaction beyond viewing the page is required for the payload to execute [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack is limited to the web interface and does not directly compromise the router's operating system or network traffic [1].

Mitigation

NETGEAR has released firmware updates to address this vulnerability. Users should upgrade to the following fixed versions or later: D7800 (1.0.1.56), R7500v2 (1.0.3.46), R7800 (1.0.2.74), R8900 (1.0.4.28), R9000 (1.0.4.28), XR500 (2.3.2.56), XR700 (1.0.1.10), and RAX120 (1.0.0.78). The updates are available from NETGEAR Support. No workarounds are documented; upgrading is the only recommended mitigation [1].