CVE-2021-45665

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in several NETGEAR extenders and WiFi systems. The flaw affects the web-based management interface of the following models before the specified firmware versions: EAX20 (before 1.0.0.36), EAX80 (before 1.0.1.62), EX3700 and EX3800 (before 1.0.0.90), EX6120 (before 1.0.0.64), EX6130 (before 1.0.0.44), EX7500 (before 1.0.0.72), RBW30 (before 2.6.1.4), RBK752, RBR750, RBS750 (before 3.2.16.6), RBK852, RBR850, RBS850 (before 3.2.16.6), and RBS40V (before 2.6.1.4). The vulnerability is due to insufficient sanitization of user-supplied input, allowing malicious script to be stored and later executed when an administrator visits a specific page [1].

Exploitation

An attacker with access to the device's web interface (e.g., a local network user) can inject malicious JavaScript into a vulnerable input field. The injected script is stored on the device and executed in the context of the affected page when another user (such as an administrator) accesses it. No additional privileges are required beyond network access to the administration interface [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript within the context of the device's web interface. This could lead to session hijacking, credential theft, or further compromise of the device. The impact is limited to the web management interface and does not extend to the underlying OS or network traffic [1].

Mitigation

NETGEAR has released fixed firmware versions for all affected models. Users should update to the latest firmware as soon as possible: EAX20 (1.0.0.36), EAX80 (1.0.1.62), EX3700/EX3800 (1.0.0.90), EX6120 (1.0.0.64), EX6130 (1.0.0.44), EX7500 (1.0.0.72), RBW30 (2.6.1.4), RBK752/RBR750/RBS750 (3.2.16.6), RBK852/RBR850/RBS850 (3.2.16.6), and RBS40V (2.6.1.4). Firmware updates are available via the NETGEAR Support page. No workarounds are provided if the fix cannot be applied [1].