CVE-2021-45666

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in several NETGEAR extenders and WiFi systems. The flaw occurs when user-supplied input is not properly sanitized before being stored and later rendered in the web interface. Affected models include CBR40 (before 2.5.0.10), EAX80 (before 1.0.1.64), EX3700 (before 1.0.0.90), EX3800 (before 1.0.0.90), EX6120 (before 1.0.0.64), EX6130 (before 1.0.0.44), EX7500 (before 1.0.0.72), RBW30 (before 2.6.1.4), RBK752 (before 3.2.16.6), RBR750 (before 3.2.16.6), RBS750 (before 3.2.16.6), RBK852 (before 3.2.16.6), RBR850 (before 3.2.16.6), RBS850 (before 3.2.16.6), and RBS40V (before 2.6.1.4) [1].

Exploitation

An attacker with network access to the device's management interface can inject malicious JavaScript into a vulnerable input field (e.g., SSID name, admin settings). The injected script is stored on the device and executed when an administrator views the affected page. No authentication is required to trigger the stored payload if the input is accessible without login, though some vectors may require low-privileged access [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the administrator's browser session. This can lead to theft of session cookies, redirection to malicious sites, or further compromise of the device's configuration and network [1].

Mitigation

NETGEAR has released firmware updates that fix the vulnerability. Users should upgrade to the latest firmware for their specific model: CBR40 to 2.5.0.10, EAX80 to 1.0.1.64, EX3700 to 1.0.0.90, EX3800 to 1.0.0.90, EX6120 to 1.0.0.64, EX6130 to 1.0.0.44, EX7500 to 1.0.0.72, RBW30 to 2.6.1.4, RBK752 to 3.2.16.6, RBR750 to 3.2.16.6, RBS750 to 3.2.16.6, RBK852 to 3.2.16.6, RBR850 to 3.2.16.6, RBS850 to 3.2.16.6, and RBS40V to 2.6.1.4 [1]. No workarounds are documented; updating firmware is the only recommended mitigation.