CVE-2020-35839

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web-based management interface of several NETGEAR router models. The vulnerability allows an attacker to inject malicious scripts that are stored on the device and executed when other authenticated users access the affected page. Affected models and fixed firmware versions include: D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, XR500 before 2.3.2.56, XR700 before 1.0.1.10, and RAX120 before 1.0.0.78 [1].

Exploitation

An attacker must have authenticated access to the router's web interface. By submitting crafted input to a vulnerable field (e.g., in configuration pages), the attacker can inject a persistent JavaScript payload. When another administrator or user with access to the same interface views the affected page, the payload executes in the context of their session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of an authenticated user. This can lead to session hijacking, theft of sensitive information displayed on the interface, or further actions within the router's administrative capabilities, potentially compromising the entire network [1].

Mitigation

NETGEAR has released firmware updates that fix this vulnerability. Users should upgrade to the latest firmware for their specific model as listed in the advisory [1]. The fixed versions are: D7800 1.0.1.56, R7500v2 1.0.3.46, R7800 1.0.2.68, R8900 1.0.4.28, R9000 1.0.4.28, XR500 2.3.2.56, XR700 1.0.1.10, and RAX120 1.0.0.78. No workarounds are provided; updating firmware is the recommended mitigation.