Nixpkgs Security Tracker

Dismissed

Permalink CVE-2019-25377

5.4 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

updated 1 month, 1 week ago by @jopejoe1 Activity log

Created automatic suggestion 1 month, 1 week ago
@jopejoe1 removed
6 packages
- prometheus-opnsense-exporter
- python314Packages.pyopnsense
- python313Packages.pyopnsense
- python312Packages.pyopnsense
- tests.home-assistant-component-tests.opnsense
- home-assistant-component-tests.opnsense
1 month, 1 week ago
@jopejoe1 dismissed 1 month, 1 week ago

OPNsense 19.1 Reflected XSS via system_advanced_sysctl.php

OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. Attackers can craft POST requests with script payloads in the value parameter to execute JavaScript in the context of authenticated user sessions.

References

ExploitDB-46351 exploit
OPNsense Official Website product
OPNsense 19.1.1 Release Announcement patch
VulnCheck Advisory: OPNsense 19.1 Reflected XSS via system_advanced_sysctl.php third-party-advisory
ExploitDB-46351 exploit
OPNsense Official Website product
OPNsense 19.1.1 Release Announcement patch
VulnCheck Advisory: OPNsense 19.1 Reflected XSS via system_advanced_sysctl.php third-party-advisory

Affected products

OPNsense

==19.1

Not present in nixpkgs

Suggestion detail

References

Affected products