CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-12513 – Stored XSS via DHCP Discover Request Hostname
https://notcve.org/view.php?id=CVE-2019-12513
24 Feb 2020 — In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, by sending a DHCP discover request containing a malicious hostname field, an attacker may execute stored XSS attacks against this device. When the malicious DHCP request is received, the device will generate a log entry containing the malicious hostname. This log entry may then be viewed at Advanced settings->Administration->Logs to trigger the exploit. Although this value is inserted into a textarea tag, converted to all-caps, and limited in length, attacks ... • https://www.ise.io/casestudies/sohopelessly-broken-2-0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-12512 – Stored XSS via X-Forwarded-For Header During Incorrect Login
https://notcve.org/view.php?id=CVE-2019-12512
24 Feb 2020 — In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, an attacker may execute stored XSS attacks against this device by supplying a malicious X-Forwarded-For header while performing an incorrect login attempt. The value supplied by this header will be inserted into administrative logs, found at Advanced settings->Administration->Logs, and may trigger when the page is viewed. Although this value is inserted into a textarea tag, the attack simply needs to supply a closing textarea tag. En NETGEAR Nighthawk X10-R90... • https://www.ise.io/casestudies/sohopelessly-broken-2-0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2019-12511 – Root Command Injection via MAC Address in SOAP API
https://notcve.org/view.php?id=CVE-2019-12511
24 Feb 2020 — In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the "NETGEAR Genie" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being enabled, and a valid authentication JWT, additional vulnerabilities (CVE-2019-12510) allow an attacker to interact with the entire SOAP API without authentication. Additionally, DNS rebinding techniques may be used to expl... • https://www.ise.io/casestudies/sohopelessly-broken-2-0 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-12510 – Auth Bypass Via X-Forwarded-For Header in SOAP API
https://notcve.org/view.php?id=CVE-2019-12510
24 Feb 2020 — In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may bypass all authentication checks on the device's "NETGEAR Genie" SOAP API ("/soap/server_sa") by supplying a malicious X-Forwarded-For header of the device's LAN IP address (192.168.1.1) in every request. As a result, an attacker may modify almost all of the device's settings and view various configuration settings. En NETGEAR Nighthawk X10-R900 versiones anteriores a 1.0.4.26, un atacante puede omitir todas las verificaciones de autenticación... • https://www.ise.io/casestudies/sohopelessly-broken-2-0 • CWE-345: Insufficient Verification of Data Authenticity •