CVE-2020-27861 – NETGEAR Orbi UA_Parser Host Name Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-27861
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi 2.5.1.16 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UA_Parser utility. A crafted Host Name option in a DHCP request can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of root. • https://kb.netgear.com/000062507/Security-Advisory-for-Unauthenticated-Command-Injection-Vulnerability-on-Some-Extenders-and-Orbi-WiFi-Systems https://www.zerodayinitiative.com/advisories/ZDI-20-1430 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2019-20678
https://notcve.org/view.php?id=CVE-2019-20678
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30. Determinados dispositivos NETGEAR están afectados por una vulnerabilidad de tipo XSS almacenado. Esto afecta a RBR20 versiones anteriores a 2.3.5.26, RBS20 versiones anteriores a 2.3.5.26, RBK20 versiones anteriores a 2.3.5.26, RBR40 versiones anteriores a 2.3.5.30, RBS40 versiones anteriores a 2.3.5.30, RBK40 versiones anteriores a 2.3.5.30, RBR50 versiones anteriores a 2.3.5.30, RBS50 versiones anteriores a 2.3.5.30, y RBK50 versiones anteriores a 2.3.5.30. • https://kb.netgear.com/000061461/Security-Advisory-for-Stored-Cross-Site-Scripting-on-Some-WiFi-Systems-PSV-2018-0540 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-20674
https://notcve.org/view.php?id=CVE-2019-20674
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30. Determinados dispositivos NETGEAR están afectados por una vulnerabilidad de tipo XSS almacenado. Esto afecta a RBR20 versiones anteriores a 2.3.5.26, RBS20 versiones anteriores a 2.3.5.26, RBK20 versiones anteriores a 2.3.5.26, RBR40 versiones anteriores a 2.3.5.30, RBS40 versiones anteriores a 2.3.5.30, RBK40 versiones anteriores a 2.3.5.30, RBR50 versiones anteriores a 2.3.5.30, RBS50 versiones anteriores a 2.3.5.30, y RBK50 versiones anteriores a 2.3.5.30. • https://kb.netgear.com/000061465/Security-Advisory-for-Stored-Cross-Site-Scripting-on-Some-WiFi-Systems-PSV-2018-0545 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-20673
https://notcve.org/view.php?id=CVE-2019-20673
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30. Determinados dispositivos NETGEAR están afectados por una vulnerabilidad de tipo XSS almacenado. Esto afecta a RBR20 versiones anteriores a 2.3.5.26, RBS20 versiones anteriores a 2.3.5.26, RBK20 versiones anteriores a 2.3.5.26, RBR40 versiones anteriores a 2.3.5.30, RBS40 versiones anteriores a 2.3.5.30, RBK40 versiones anteriores a 2.3.5.30, RBR50 versiones anteriores a 2.3.5.30, RBS50 versiones anteriores a 2.3.5.30, y RBK50 versiones anteriores a 2.3.5.30. • https://kb.netgear.com/000061466/Security-Advisory-for-Stored-Cross-Site-Scripting-on-Some-WiFi-Systems-PSV-2018-0546 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-20671
https://notcve.org/view.php?id=CVE-2019-20671
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30. Determinados dispositivos NETGEAR están afectados por una vulnerabilidad de tipo XSS almacenado. Esto afecta a RBR20 versiones anteriores a 2.3.5.26, RBS20 versiones anteriores a 2.3.5.26, RBK20 versiones anteriores a 2.3.5.26, RBR40 versiones anteriores a 2.3.5.30, RBS40 versiones anteriores a 2.3.5.30, RBK40 versiones anteriores a 2.3.5.30, RBR50 versiones anteriores a 2.3.5.30, RBS50 versiones anteriores a 2.3.5.30, y RBK50 versiones anteriores a 2.3.5.30. • https://kb.netgear.com/000061468/Security-Advisory-for-Stored-Cross-Site-Scripting-on-Some-WiFi-Systems-PSV-2018-0548 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •