Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Certain NETGEAR smart switches are affected by a \n injection in the web UI's password field, which - due to several faulty aspects of the authentication scheme - allows the attacker to create (or overwrite) a file with specific content (e.g., the "2" string). This leads to admin session crafting and therefore gaining full web UI admin privileges by an unauthenticated attacker. This affects GC108P before 184.108.40.206, GC108PP before 220.127.116.11, GS108Tv3 before 18.104.22.168, GS110TPP before 22.214.171.124, GS110TPv3 before 126.96.36.199, GS110TUP before 188.8.131.52, GS308T before 184.108.40.206, GS310TP before 220.127.116.11, GS710TUP before 18.104.22.168, GS716TP before 22.214.171.124, GS716TPP before 126.96.36.199, GS724TPP before 188.8.131.52, GS724TPv2 before 184.108.40.206, GS728TPPv2 before 220.127.116.11, GS728TPv2 before 18.104.22.168, GS750E before 22.214.171.124, GS752TPP before 126.96.36.199, GS752TPv2 before 188.8.131.52, MS510TXM before 184.108.40.206, and MS510TXUP before 220.127.116.11.
CWE-74 - Injection
Listed as the number one web application security risk on the 'OWASP Top Ten', injection attacks are widespread and dangerous, especially in legacy applications. Injection attacks are a class of vulnerabilities in which an attacker injects untrusted data into a web application that gets processed by an interpreter, altering the program's execution. This can result in data loss/theft, loss of data integrity, denial of service, and even compromising the entire system.