CVE-2019-25371

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions OPNsense version 19.1

Description OPNsense version 19.1 has a reflected cross-site scripting issue. Unauthenticated attackers can inject malicious scripts due to inadequate input validation. Attackers can send specially crafted POST requests to the /diag ping.php endpoint, using the host parameter to include script payloads and execute arbitrary JavaScript in the browsers of users. The host parameter is the point of injection.

Recommendations Apply input validation to the host parameter in the /diag ping.php endpoint.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-25371

Affected Products

Opnsense

CVE-2019-25371

Weakness Enumeration

Related Identifiers

Affected Products

References · 8