CVE-2019-12512

Name of the Vulnerable Software and Affected Versions: NETGEAR Nighthawk X10-R900 versions prior to 1.0.4.24

Description: The issue allows an attacker to execute stored XSS attacks against the device by supplying a malicious X-Forwarded-For header during an incorrect login attempt. The supplied value is inserted into administrative logs, which can be found at Advanced settings->Administration->Logs, and may trigger when the page is viewed. Although the value is inserted into a textarea tag, the attack can be successful by simply supplying a closing textarea tag.

Recommendations: For versions prior to 1.0.4.24, update to version 1.0.4.24 or later to resolve the issue. As a temporary workaround, consider restricting access to the administrative logs page to minimize the risk of exploitation. Avoid using the X-Forwarded-For header in login attempts until the issue is resolved.