CVE-2023-2391

Name of the Vulnerable Software and Affected Versions Netgear SRX5308 versions up to 4.3.5-3

Description The issue exists due to insufficient input validation in the web management interface of the Netgear SRX5308 router's embedded software. Exploitation of this issue may allow a remote attacker to conduct a cross-site scripting attack by sending a specially crafted HTTP request using the ntp.server2 parameter. This can be achieved by manipulating the ntp.server2 argument in the scgi-bin/platform.cgi?page=time zone.htm file of the Web Management Interface component.

Recommendations For versions up to 4.3.5-3, as a temporary workaround, consider restricting access to the scgi-bin/platform.cgi?page=time zone.htm endpoint until a patch is available. Avoid using the ntp.server2 parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.