Dismissed
Permalink
CVE-2019-25368
5.4 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): REQUIRED
- Scope (S): CHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): NONE
by @jopejoe1 Activity log
- Created automatic suggestion
-
@jopejoe1
removed
6 packages
- tests.home-assistant-component-tests.opnsense
- python314Packages.pyopnsense
- python313Packages.pyopnsense
- prometheus-opnsense-exporter
- home-assistant-component-tests.opnsense
- python312Packages.pyopnsense
- @jopejoe1 dismissed
OPNsense 19.1 Reflected XSS via diag_backup.php
OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions.
References
- OPNsense 19.1.1 Release Announcement patch
- VulnCheck Advisory: OPNsense 19.1 Reflected XSS via diag_backup.php third-party-advisory
- ExploitDB-46351 exploit
- OPNsense Official Website product
- ExploitDB-46351 exploit
- OPNsense Official Website product
- OPNsense 19.1.1 Release Announcement patch
- VulnCheck Advisory: OPNsense 19.1 Reflected XSS via diag_backup.php third-party-advisory
Affected products
OPNsense
- ==19.1