CVE-2021-45667

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web-based management interface of multiple NETGEAR devices. This affects firmware versions prior to the listed fixed versions for model numbers such as CBR40 before 2.5.0.10, EAX20 before 1.0.0.48, EAX80 before 1.0.1.64, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, R7960P before 1.4.1.66, RAX200 before 1.0.3.106, RBS40V before 2.6.1.4, RBW30 before 2.6.1.4, EX3700 before 1.0.0.90, MR60 before 1.0.6.110, R8000P before 1.4.1.66, RAX20 before 1.0.2.82, RAX45 before 1.0.2.72, RAX80 before 1.0.3.106, EX3800 before 1.0.0.90, MS60 before 1.0.6.110, R7900P before 1.4.1.66, RAX15 before 1.0.2.82, RAX50 before 1.0.2.72, RAX75 before 1.0.3.106, RBR750 before 3.2.16.6, RBR850 before 3.2.16.6, RBS750 before 3.2.16.6, RBS850 before 3.2.16.6, RBK752 before 3.2.16.6, and RBK852 before 3.2.16.6 [1]. The vulnerability resides in the device firmware and can be triggered when an administrator accesses a page that renders unsanitized attacker-controlled input.

Exploitation

An attacker must be authenticated to the affected device's web interface, likely as an administrator, to store malicious script content. The attacker then injects a crafted payload into a field (such as a configuration parameter) that is not properly sanitized. When another administrator views the stored data via the web interface, the script executes in the context of the same browser session. The exact input vector is not detailed, but it requires write access to stored settings [1]. No user interaction beyond normal administrative viewing is required for the stored payload to fire.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript or HTML in the browser of an authenticated administrator. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited to the web interface session and does not directly provide remote code execution on the device itself. The privilege level required for exploitation (administrative access) partially reduces severity, but the stored nature increases the risk of persistent compromise [1].

Mitigation

NETGEAR has released fixed firmware versions for all affected models as listed in the advisory [1]. Users should update immediately to the following minimum versions: CBR40 2.5.0.10, EAX20 1.0.0.48, EAX80 1.0.1.64, EX6120 1.0.0.64, EX6130 1.0.0.44, EX7500 1.0.0.72, R7960P 1.4.1.66, RAX200 1.0.3.106, RBS40V 2.6.1.4, RBW30 2.6.1.4, EX3700 1.0.0.90, MR60 1.0.6.110, R8000P 1.4.1.66, RAX20 1.0.2.82, RAX45 1.0.2.72, RAX80 1.0.3.106, EX3800 1.0.0.90, MS60 1.0.6.110, R7900P 1.4.1.66, RAX15 1.0.2.82, RAX50 1.0.2.72, RAX75 1.0.3.106, RBR750 3.2.16.6, RBR850 3.2.16.6, RBS750 3.2.16.6, RBS850 3.2.16.6, RBK752 3.2.16.6, and RBK852 3.2.16.6 [1]. No workaround other than applying the firmware update is disclosed.