Netgear: Security Vulnerabilities
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.58, R7500v2 before 1.0.3.46, R7800 before 1.0.2.74, R8900 before 1.0.5.2, and R9000 before 1.0.5.2.
CVSS Score
6.1
EPSS Score
0.001
Published
2020-12-30
NETGEAR DGN2200v1 devices before v1.0.0.58 are affected by command injection.
CVSS Score
8.4
EPSS Score
0.006
Published
2020-12-30
Certain NETGEAR devices are affected by CSRF. This affects GS716Tv3 before 6.3.1.36 and GS724Tv4 before 6.3.1.36.
CVSS Score
4.3
EPSS Score
0.002
Published
2020-12-30
NETGEAR NMS300 devices before 1.6.0.27 are affected by denial of service.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-12-30
Cross-site request forgery (CSRF) vulnerability in GS108Ev3 firmware version 2.06.10 and earlier allows remote attackers to hijack the authentication of administrators and the product's settings may be changed without the user's intention or consent via unspecified vectors.
CVSS Score
6.5
EPSS Score
0.001
Published
2020-11-24
upnpd on certain NETGEAR devices allows remote (LAN) attackers to execute arbitrary code via a stack-based buffer overflow. This affects R6400v2 V1.0.4.102_10.0.75, R6400 V1.0.1.62_1.0.41, R7000P V1.3.2.126_10.1.66, XR300 V1.0.3.50_10.3.36, R8000 V1.0.4.62, R8300 V1.0.2.136, R8500 V1.0.2.136, R7300DST V1.0.0.74, R7850 V1.0.5.64, R7900 V1.0.4.30, RAX20 V1.0.2.64, RAX80 V1.0.3.102, and R6250 V1.0.4.44.
CVSS Score
8.8
EPSS Score
0.001
Published
2020-11-09
The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data.
CVSS Score
6.5
EPSS Score
0.011
Published
2020-11-02
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R6120, R6080, R6260, R6220, R6020, JNR3210, and WNR2020 routers with firmware 1.0.66. Authentication is not required to exploit this vulnerability. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-10754.
CVSS Score
6.5
EPSS Score
0.003
Published
2020-10-13
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects WAC720 before 3.9.1.13 and WAC730 before 3.9.1.13.
CVSS Score
3.1
EPSS Score
0.001
Published
2020-10-09
NETGEAR GS808E devices before 1.7.1.0 are affected by denial of service.
CVSS Score
3.2
EPSS Score
0.001
Published
2020-10-09