CVE-2025-34182

Name of the Vulnerable Software and Affected Versions Deciso OPNsense versions prior to 25.7.4

Description OPNsense versions prior to 25.7.4 are susceptible to a stored cross-site scripting issue. This occurs when creating a "Interfaces: Devices: Point-to-Point" entry, where the ptpid parameter is not properly sanitized to remove HTML-related characters or strings. The unsanitized value is then displayed on the /interfaces assign.php page. An attacker with at least "Interfaces: PPPs: Edit" permission can exploit this to inject malicious scripts. The issue was addressed by ensuring proper escaping of form data.

Recommendations Upgrade to OPNsense version 25.7.4 or later.