Vulnerability Description
An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. The web-interface Cross-Site Request Forgery token is stored in a dynamically generated JavaScript file, and therefore can be embedded in third party pages, and re-used against the Nighthawk web interface. This entirely bypasses the intended security benefits of the use of a CSRF-protection token.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netgear | Mr1100 Firmware | < 12.06.03 |
| Netgear | Mr1100 | - |
Related Weaknesses (CWE)
References
- https://www.pentestpartners.com/security-blog/how-not-to-do-cross-site-request-fExploitThird Party Advisory
- https://www.pentestpartners.com/security-blog/how-not-to-do-cross-site-request-fExploitThird Party Advisory
FAQ
What is CVE-2019-14526?
CVE-2019-14526 is a vulnerability with a CVSS score of 8.1 (HIGH). An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. The web-interface Cross-Site Request Forgery token is stored in a dynamically generated JavaScript file, and therefore...
How severe is CVE-2019-14526?
CVE-2019-14526 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-14526?
Check the references section above for vendor advisories and patch information. Affected products include: Netgear Mr1100 Firmware, Netgear Mr1100.