CVE-2019-12510

In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may bypass all authentication checks on the device's "NETGEAR Genie" SOAP API "/soap/serversa" by supplying a malicious X-Forwarded-For header of the device's LAN IP address 192.168.1.1 in every request. As a result, an attacker may...

EUVD-2019-4107

Malware in sbrugna...

CVE-2019-12513

In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, by sending a DHCP discover request containing a malicious hostname field, an attacker may execute stored XSS attacks against this device. When the malicious DHCP request is received, the device will generate a log entry containing the malicious...

NETGEAR Nighthawk X10-R9000 Authentication Bypass Vulnerability

The NETGEAR Nighthawk X10-R9000 is a wireless router from NETGEAR. A security vulnerability exists in the NETGEAR Nighthawk X10-R9000 using firmware versions prior to 1.0.4.26. An attacker could exploit the vulnerability to bypass authentication...

NETGEAR Nighthawk X10-R9000 Cross-Site Scripting Vulnerability (CNVD-2020-13506)

The NETGEAR Nighthawk X10-R9000 is a wireless router from NETGEAR. A cross-site scripting vulnerability exists in the NETGEAR Nighthawk X10-R9000 using firmware prior to version 1.0.4.24. The vulnerability stems from a lack of proper validation of client data by the WEB application. An attacker c...

NETGEAR Nighthawk X10-R9000 Cross-Site Scripting Vulnerability

The NETGEAR Nighthawk X10-R9000 is a wireless router from NETGEAR. A cross-site scripting vulnerability exists in the NETGEAR Nighthawk X10-R9000 using firmware prior to version 1.0.4.24. The vulnerability stems from a lack of proper validation of client data by the WEB application. An attacker c...

CVE-2019-12512

In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, an attacker may execute stored XSS attacks against this device by supplying a malicious X-Forwarded-For header while performing an incorrect login attempt. The value supplied by this header will be inserted into administrative logs, found at Advanc...

CVE-2019-12513

In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, by sending a DHCP discover request containing a malicious hostname field, an attacker may execute stored XSS attacks against this device. When the malicious DHCP request is received, the device will generate a log entry containing the malicious...

CVE-2019-12510

In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may bypass all authentication checks on the device's "NETGEAR Genie" SOAP API "/soap/serversa" by supplying a malicious X-Forwarded-For header of the device's LAN IP address 192.168.1.1 in every request. As a result, an attacker may...

CVE-2019-12511

In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the "NETGEAR Genie" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being enabled...

CVE-2019-12513

In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, by sending a DHCP discover request containing a malicious hostname field, an attacker may execute stored XSS attacks against this device. When the malicious DHCP request is received, the device will generate a log entry containing the malicious...

CVE-2019-12512

In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, an attacker may execute stored XSS attacks against this device by supplying a malicious X-Forwarded-For header while performing an incorrect login attempt. The value supplied by this header will be inserted into administrative logs, found at Advanc...

Spoofing

In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the "NETGEAR Genie" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being enabled...

Cross site scripting

In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, by sending a DHCP discover request containing a malicious hostname field, an attacker may execute stored XSS attacks against this device. When the malicious DHCP request is received, the device will generate a log entry containing the malicious...

Cross site scripting

In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, an attacker may execute stored XSS attacks against this device by supplying a malicious X-Forwarded-For header while performing an incorrect login attempt. The value supplied by this header will be inserted into administrative logs, found at Advanc...

CVE-2019-12513 Stored XSS via DHCP Discover Request Hostname

In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, by sending a DHCP discover request containing a malicious hostname field, an attacker may execute stored XSS attacks against this device. When the malicious DHCP request is received, the device will generate a log entry containing the malicious...

CVE-2019-12512

Affected product: NETGEAR Nighthawk X10-R900 router with firmware prior to 1.0.4.24. Vulnerability: stored XSS via a malicious X-Forwarded-For header during an incorrect login attempt. The crafted header value is written into administrative logs (Advanced settings → Administration → Logs) and can...

CVE-2019-12511 Root Command Injection via MAC Address in SOAP API

In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the "NETGEAR Genie" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being enabled...

CVE-2019-12510 Auth Bypass Via X-Forwarded-For Header in SOAP API

In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may bypass all authentication checks on the device's "NETGEAR Genie" SOAP API "/soap/serversa" by supplying a malicious X-Forwarded-For header of the device's LAN IP address 192.168.1.1 in every request. As a result, an attacker may...