Details of VAR-202004-0777

ID

VAR-202004-0777

CVE

CVE-2019-20715

TITLE

plural NETGEAR Cross-site scripting vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-015317

DESCRIPTION

Certain NETGEAR devices are affected by stored XSS. This affects D3600 before 1.0.0.76, D6000 before 1.0.0.76, D6100 before 1.0.0.63, D7800 before 1.0.1.47, DM200 before 1.0.0.61, R7500v2 before 1.0.3.40, R7800 before 1.0.2.60, RBK50 before 2.3.0.32, RBR50 before 2.3.0.32, and RBS50 before 2.3.0.32. plural NETGEAR A cross-site scripting vulnerability exists in the device.Information may be obtained and tampered with. NETGEAR D3600, etc. are all products of NETGEAR. NETGEAR D3600 is a wireless modem. NETGEAR D6000 is a wireless modem. NETGEAR R7500 is a wireless router. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code

Trust: 2.16

sources: NVD: CVE-2019-20715 // JVNDB: JVNDB-2019-015317 // CNVD: CNVD-2020-30686

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-30686

AFFECTED PRODUCTS

vendor:	netgear	model:	r7800	scope:	lt	version:	1.0.2.60	Trust: 1.6
vendor:	netgear	model:	d3600	scope:	lt	version:	1.0.0.76	Trust: 1.6
vendor:	netgear	model:	d6000	scope:	lt	version:	1.0.0.76	Trust: 1.6
vendor:	netgear	model:	d7800	scope:	lt	version:	1.0.1.47	Trust: 1.6
vendor:	netgear	model:	rbk50	scope:	lt	version:	2.3.0.32	Trust: 1.6
vendor:	netgear	model:	rbr50	scope:	lt	version:	2.3.0.32	Trust: 1.6
vendor:	netgear	model:	rbs50	scope:	lt	version:	2.3.0.32	Trust: 1.6
vendor:	netgear	model:	d6100	scope:	lt	version:	1.0.0.63	Trust: 1.6
vendor:	netgear	model:	dm200	scope:	lt	version:	1.0.0.61	Trust: 1.6
vendor:	netgear	model:	r7500	scope:	lt	version:	1.0.3.40	Trust: 1.0
vendor:	netgear	model:	d3600	scope:	eq	version:	1.0.0.76	Trust: 0.8
vendor:	netgear	model:	d6000	scope:	eq	version:	1.0.0.76	Trust: 0.8
vendor:	netgear	model:	d6100	scope:	eq	version:	1.0.0.63	Trust: 0.8
vendor:	netgear	model:	dm200	scope:	eq	version:	1.0.0.61	Trust: 0.8
vendor:	netgear	model:	r7500	scope:	eq	version:	1.0.3.40	Trust: 0.8
vendor:	netgear	model:	r7800	scope:	eq	version:	1.0.1.47	Trust: 0.8
vendor:	netgear	model:	r7800	scope:	eq	version:	1.0.2.60	Trust: 0.8
vendor:	netgear	model:	rbk50	scope:	eq	version:	2.3.0.32	Trust: 0.8
vendor:	netgear	model:	rbr50	scope:	eq	version:	2.3.0.32	Trust: 0.8
vendor:	netgear	model:	rbs50	scope:	eq	version:	2.3.0.32	Trust: 0.8
vendor:	netgear	model:	r7500v2	scope:	lt	version:	1.0.3.40	Trust: 0.6

sources: CNVD: CNVD-2020-30686 // JVNDB: JVNDB-2019-015317 // NVD: CVE-2019-20715

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-20715
value:	MEDIUM
Trust: 1.0
cve@mitre.org:	CVE-2019-20715
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2019-015317
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-30686
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202004-1299
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2019-20715
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2019-015317
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-30686
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-20715
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2019-20715
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.0
Trust: 1.0
NVD:	JVNDB-2019-015317
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-30686 // JVNDB: JVNDB-2019-015317 // CNNVD: CNNVD-202004-1299 // NVD: CVE-2019-20715 // NVD: CVE-2019-20715

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2019-015317 // NVD: CVE-2019-20715

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-1299

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202004-1299

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-015317

PATCH

title:	Security Advisory for Stored Cross Site Scripting on Some Routers, Gateways, and WiFi Systems, PSV-2018-0248	url:	https://kb.netgear.com/000061213/Security-Advisory-for-Stored-Cross-Site-Scripting-on-Some-Routers-Gateways-and-WiFi-Systems-PSV-2018-0248	Trust: 0.8
title:	Patch for Multiple NETGEAR product cross-site scripting vulnerabilities (CNVD-2020-30686)	url:	https://www.cnvd.org.cn/patchInfo/show/219485	Trust: 0.6
title:	Multiple NETGEAR Fixes for product cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=116568	Trust: 0.6

sources: CNVD: CNVD-2020-30686 // JVNDB: JVNDB-2019-015317 // CNNVD: CNNVD-202004-1299

EXTERNAL IDS

db:	NVD	id:	CVE-2019-20715	Trust: 3.0
db:	JVNDB	id:	JVNDB-2019-015317	Trust: 0.8
db:	CNVD	id:	CNVD-2020-30686	Trust: 0.6
db:	CNNVD	id:	CNNVD-202004-1299	Trust: 0.6

sources: CNVD: CNVD-2020-30686 // JVNDB: JVNDB-2019-015317 // CNNVD: CNNVD-202004-1299 // NVD: CVE-2019-20715

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2019-20715	Trust: 2.0
url:	https://kb.netgear.com/000061213/security-advisory-for-stored-cross-site-scripting-on-some-routers-gateways-and-wifi-systems-psv-2018-0248	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-20715	Trust: 0.8

sources: CNVD: CNVD-2020-30686 // JVNDB: JVNDB-2019-015317 // CNNVD: CNNVD-202004-1299 // NVD: CVE-2019-20715

CREDITS

Wayne Low of Fortinets FortiGuard Labs

Trust: 0.6

sources: CNNVD: CNNVD-202004-1299

SOURCES

db:	CNVD	id:	CNVD-2020-30686
db:	JVNDB	id:	JVNDB-2019-015317
db:	CNNVD	id:	CNNVD-202004-1299
db:	NVD	id:	CVE-2019-20715

LAST UPDATE DATE

2024-11-23T23:08:03.159000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-30686	date:	2020-05-29T00:00:00
db:	JVNDB	id:	JVNDB-2019-015317	date:	2020-05-12T00:00:00
db:	CNNVD	id:	CNNVD-202004-1299	date:	2020-04-26T00:00:00
db:	NVD	id:	CVE-2019-20715	date:	2024-11-21T04:39:10.023

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-30686	date:	2020-05-29T00:00:00
db:	JVNDB	id:	JVNDB-2019-015317	date:	2020-05-12T00:00:00
db:	CNNVD	id:	CNNVD-202004-1299	date:	2020-04-16T00:00:00
db:	NVD	id:	CVE-2019-20715	date:	2020-04-16T19:15:24.823