CVE-2019-25372

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions OPNsense version 19.1

Description The software contains a reflected cross-site scripting issue that allows unauthenticated attackers to inject malicious scripts. This is due to insufficient input validation in the host parameter. Attackers can submit crafted payloads through POST requests to the /diag traceroute.php API endpoint to execute arbitrary JavaScript in the context of a user's browser session. The vulnerable parameter is host.

Recommendations Apply input validation to the host parameter in the /diag traceroute.php API endpoint.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-25372

Affected Products

Opnsense

CVE-2019-25372

Weakness Enumeration

Related Identifiers

Affected Products

References · 8