CVE-2019-25368

Name of the Vulnerable Software and Affected Versions OPNsense version 19.1

Description The software contains multiple cross-site scripting issues in the /diag backup.php API endpoint. Attackers can inject malicious scripts through several parameters, including GDrive GDriveEmail, GDrive GDriveFolderID, GDrive GDriveBackupCount, Nextcloud url, Nextcloud user, Nextcloud password, Nextcloud password encryption, and Nextcloud backupdir. By submitting POST requests with script payloads in these parameters, attackers can execute arbitrary JavaScript within the context of authenticated administrator sessions.

Recommendations Apply a fix or update to a newer version that addresses this vulnerability. As a temporary workaround, consider restricting access to the /diag backup.php endpoint to minimize the risk of exploitation. Sanitize all input received through the GDrive GDriveEmail, GDrive GDriveFolderID, GDrive GDriveBackupCount, Nextcloud url, Nextcloud user, Nextcloud password, Nextcloud password encryption, and Nextcloud backupdir parameters.