CVE-2019-20752 in D3600
Summary
by MITRE
Certain NETGEAR devices are affected by stored XSS. This affects D3600 before 1.0.0.75, D6000 before 1.0.0.75, D7800 before 1.0.1.44, DM200 before 1.0.0.58, R7800 before 1.0.2.58, R8900 before 1.0.4.12, R9000 before 1.0.4.12, RBK20 before 2.3.0.28, RBR20 before 2.3.0.28, RBS20 before 2.3.0.28, RBK40 before 2.3.0.28, RBS40 before 2.3.0.28, RBK50 before 2.3.0.32, RBR50 before 2.3.0.32, RBS50 before 2.3.0.32, WN3000RPv2 before 1.0.0.68, WN3000RPv3 before 1.0.2.70, WN3100RPv2 before 1.0.0.60, WNDR4300v2 before 1.0.0.58, WNDR4500v3 before 1.0.0.58, and WNR2000v5 before 1.0.0.68.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/07/2025
This stored cross-site scripting vulnerability affects multiple NETGEAR router models and is categorized under CWE-79 as improper neutralization of input during web page generation. The flaw exists in the web interface authentication and configuration components where user-supplied data is not properly sanitized before being stored and subsequently rendered back to users. Attackers can exploit this vulnerability by crafting malicious input through web forms or API endpoints that are then stored on the device's web server. When authenticated users subsequently access the affected web pages, their browsers execute the malicious scripts contained within the stored data, potentially leading to session hijacking, credential theft, or unauthorized administrative access. The vulnerability impacts devices running firmware versions prior to the specified patches, with the affected models including various D-series, R-series, RBK, RBR, RBS, WN-series, and WNR models. This represents a significant security risk as it allows attackers to establish persistent malicious presence on network infrastructure devices. The operational impact extends beyond simple script execution since these devices typically serve as gateways to home and small office networks, making them attractive targets for attackers seeking to compromise entire network ecosystems. The vulnerability enables adversaries to leverage the device's privileged position to perform actions such as modifying network configurations, redirecting traffic, or establishing backdoor access points. From an ATT&CK framework perspective, this vulnerability maps to T1566 (Phishing) and T1071.004 (Application Layer Protocol: DNS) as attackers can use the stored XSS to redirect users to malicious domains or manipulate DNS settings. The attack chain typically involves initial access through a compromised user session or direct exploitation of the web interface, followed by persistent malicious script delivery to all authenticated users of the device. The vulnerability affects both authenticated and unauthenticated access scenarios, though exploitation requires some level of user interaction or prior access to the device's administrative interface. Devices that support web-based configuration and management interfaces are particularly vulnerable, as these typically handle user input through forms, API calls, or configuration parameters that are not adequately validated or sanitized. The security implications are compounded by the fact that these devices often remain accessible on local networks and may be configured with default credentials or weak authentication mechanisms. Network segmentation and access controls provide limited protection against this attack vector since the vulnerability exists within the device's own web interface. Mitigation strategies include immediate firmware updates to patched versions, implementation of network monitoring to detect anomalous web traffic patterns, and user education regarding suspicious web interface behaviors. The vulnerability demonstrates the importance of input validation and output encoding in web applications, particularly those running on network infrastructure devices where persistent access can provide long-term network compromise opportunities. Organizations should conduct inventory assessments to identify all affected devices and implement remediation procedures across their entire network infrastructure. Regular vulnerability scanning and patch management processes are essential to prevent exploitation of similar stored XSS vulnerabilities in other network equipment. The impact extends to both enterprise and consumer networks, as these devices often serve as primary network access points and may be configured with insufficient security controls. Network administrators should also consider implementing web application firewalls or intrusion detection systems to monitor for exploitation attempts targeting these specific vulnerabilities.