CVE-2019-20752

Certain NETGEAR devices are affected by stored XSS. This affects D3600 before 1.0.0.75, D6000 before 1.0.0.75, D7800 before 1.0.1.44, DM200 before 1.0.0.58, R7800 before 1.0.2.58, R8900 before 1.0.4.12, R9000 before 1.0.4.12, RBK20 before 2.3.0.28, RBR20 before 2.3.0.28, RBS20 before 2.3.0.28, RBK40 before 2.3.0.28, RBS40 before 2.3.0.28, RBK50 before 2.3.0.32, RBR50 before 2.3.0.32, RBS50 before 2.3.0.32, WN3000RPv2 before 1.0.0.68, WN3000RPv3 before 1.0.2.70, WN3100RPv2 before 1.0.0.60, WNDR4300v2 before 1.0.0.58, WNDR4500v3 before 1.0.0.58, and WNR2000v5 before 1.0.0.68.

CVSS v3.0 4.8 MEDIUM
CVSS v2.0 3.5 LOW

4.8^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://kb.netgear.com/000060967/Security-Advisory-for-Site-Stored-Cross-Scripting-on-Some-Gateways-Routers-and-WiFi-Systems-PSV-2018-0250	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:netgear:d3600_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:d3600:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:netgear:d6000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:d6000:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:netgear:d7800_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:d7800:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:netgear:dm200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:dm200:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:netgear:r7800_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r7800:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:netgear:r8900_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r8900:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:netgear:r9000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:r9000:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:netgear:rbk20_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rbk20:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:netgear:rbr20_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rbr20:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:netgear:rbs20_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rbs20:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:netgear:rbk40_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rbk40:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:netgear:rbs40_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rbs40:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:netgear:rbk50_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rbk50:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:netgear:rbr50_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rbr50:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:netgear:rbs50_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:rbs50:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:netgear:wn3000rp_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:wn3000rp:v2:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:netgear:wn3000rp_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:wn3000rp:v3:*:*:*:*:*:*:*

Configuration 18 (hide)

AND

cpe:2.3:o:netgear:wn3100rp_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:wn3100rp:v2:*:*:*:*:*:*:*

Configuration 19 (hide)

AND

cpe:2.3:o:netgear:wndr4300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:wndr4300:v2:*:*:*:*:*:*:*

Configuration 20 (hide)

AND

cpe:2.3:o:netgear:wndr4500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:wndr4500:v3:*:*:*:*:*:*:*

Configuration 21 (hide)

AND

cpe:2.3:o:netgear:wnr2000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netgear:wnr2000:v5:*:*:*:*:*:*:*

Information

Published : 2020-04-16 15:15

Updated : 2020-04-23 12:45

NVD link : CVE-2019-20752

Mitre link : CVE-2019-20752

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Products Affected

netgear

wndr4300_firmware
rbk40_firmware
dm200
d6000_firmware
rbk20_firmware
wndr4500
wndr4500_firmware
r7800
r9000_firmware
r8900
rbs40_firmware
wn3100rp
rbs50_firmware
rbs20_firmware
rbk50
d7800_firmware
r7800_firmware
d7800
rbk40
wn3000rp_firmware
rbk50_firmware
rbr50_firmware
wnr2000
r8900_firmware
dm200_firmware
rbr20
wn3000rp
rbs20
wn3100rp_firmware
d3600
d6000
r9000
rbr50
wndr4300
rbs40
rbr20_firmware
rbs50
d3600_firmware
rbk20
wnr2000_firmware

4.8 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2019-20752

4.8^/10

3.5^/10

Attach tags to `CVE-2019-20752`