CVE-2020-35841

30.12.2020, 00:15

Certain NETGEAR devices are affected by stored XSS. This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, JNR1010v2 before 1.1.0.62, JR6150 before 1.0.1.24, JWNR2010v5 before 1.1.0.62, R6020 before 1.0.0.42, R6050 before 1.0.1.24, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6260 before 1.1.0.76, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R6900v2 before 1.2.0.62, R7450 before 1.2.0.62, WNR1000v4 before 1.1.0.62, WNR2020 before 1.1.0.62, and WNR2050 before 1.1.0.62.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.9 MEDIUM	ADJACENT_NETWORK	LOW	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
mitre	CNA	6.9 MEDIUM	ADJACENT_NETWORK	LOW	LOW	CVSS:3.1/AC:L/AV:A/A:N/C:L/I:H/PR:L/S:C/UI:R
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 56%

Vendor	Product	Version
netgear	d6200_firmware	𝑥 < 1.1.00.38
netgear	d7000_firmware	𝑥 < 1.0.1.78
netgear	jnr1010v2_firmware	𝑥 < 1.1.0.62
netgear	jr6150_firmware	𝑥 < 1.0.1.24
netgear	jwnr2010v5_firmware	𝑥 < 1.1.0.62
netgear	r6020_firmware	𝑥 < 1.0.0.42
netgear	r6050_firmware	𝑥 < 1.0.1.24
netgear	r6080_firmware	𝑥 < 1.0.0.42
netgear	r6120_firmware	𝑥 < 1.0.0.66
netgear	r6220_firmware	𝑥 < 1.1.0.100
netgear	r6260_firmware	𝑥 < 1.1.0.76
netgear	r6700v2_firmware	𝑥 < 1.2.0.62
netgear	r6800_firmware	𝑥 < 1.2.0.62
netgear	r6900v2_firmware	𝑥 < 1.2.0.62
netgear	r7450_firmware	𝑥 < 1.2.0.62
netgear	wnr1000v4_firmware	𝑥 < 1.1.0.62
netgear	wnr2020_firmware	𝑥 < 1.1.0.62
netgear	wnr2050_firmware	𝑥 < 1.1.0.62

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://kb.netgear.com/000062712/Security-Advisory-for-Stored-Cross-Site-Scripting-on-Some-Routers-PSV-2019-0013