CVE-2019-20489Improper Authentication in Netgear Wnr1000 Firmware

CWE-287Improper Authentication3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
0.2%
top 58.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Netgear Wnr1000 Firmware
Timeline
PublishedMar 2
Latest updateMay 24

Description

An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. The web management interface (setup.cgi) has an authentication bypass and other problems that ultimately allow an attacker to remotely compromise the device from a malicious webpage. The attacker sends an FW_remote.htm&todo=cfg_init request without a cookie, reads the Set-Cookie header in the 401 Unauthorized response, and then repeats the FW_remote.htm&todo=cfg_init request with the specified cookie.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-rr49-pwf2-62mg: An issue was discovered on NETGEAR WNR1000V4 12022-05-24
CVEList
CVE-2019-20489: An issue was discovered on NETGEAR WNR1000V4 12020-03-02
CVE-2019-20489 — Improper Authentication in Netgear | cvebase