CVE-2019-25376

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions OPNsense version 19.1

Description OPNsense version 19.1 contains a reflected cross-site scripting issue that allows unauthenticated attackers to inject malicious scripts. Attackers can submit crafted payloads through the ignoreLogACL parameter to execute arbitrary scripts in users' browsers. This is achieved by sending POST requests to the proxy endpoint with JavaScript code in the ignoreLogACL parameter. The vulnerable API endpoint is '/proxy'.

Recommendations Apply a fix to address the reflected cross-site scripting issue in the ignoreLogACL parameter of the proxy endpoint.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-25376

Affected Products

Opnsense

CVE-2019-25376

Weakness Enumeration

Related Identifiers

Affected Products

References · 7