CVE-2021-46382

An unauthenticated attacker can inject arbitrary JavaScript into the web interface of the Netgear WAC120 AC Access Point. Because the XSS is unauthenticated, no login or prior access is required. The attacker would craft a malicious link or payload that, when visited by an administrator or other user, executes in the context of the device's management interface. This could lead to session hijacking, clipboard hijacking, or other client-side attacks. [ref_id=1]

The advisory does not specify the exact file or function within the Netgear WAC120 firmware that is vulnerable. The only reference provided is the general NETGEAR security advisory page, which lacks technical details about the affected code path.

The advisory does not include a patch diff or specific remediation instructions. NETGEAR's security policy states that fixes are developed for supported products and published in monthly security patch updates. Users should check the NETGEAR Security Advisories page for a firmware update that addresses this CVE. [ref_id=1]