Nixpkgs Security Tracker

Dismissed

Permalink CVE-2019-25372

6.1 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

updated 1 month, 1 week ago by @jopejoe1 Activity log

Created automatic suggestion 1 month, 1 week ago
@jopejoe1 removed
6 packages
- tests.home-assistant-component-tests.opnsense
- python314Packages.pyopnsense
- python313Packages.pyopnsense
- prometheus-opnsense-exporter
- home-assistant-component-tests.opnsense
- python312Packages.pyopnsense
1 month, 1 week ago
@jopejoe1 dismissed 1 month, 1 week ago

OPNsense 19.1 Reflected XSS via diag_traceroute.php

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted payloads through POST requests to diag_traceroute.php to execute arbitrary JavaScript in the context of a user's browser session.

References

ExploitDB-46351 exploit
OPNsense Official Website product
OPNsense 19.1.1 Release Announcement patch
VulnCheck Advisory: OPNsense 19.1 Reflected XSS via diag_traceroute.php third-party-advisory
ExploitDB-46351 exploit
OPNsense Official Website product
OPNsense 19.1.1 Release Announcement patch
VulnCheck Advisory: OPNsense 19.1 Reflected XSS via diag_traceroute.php third-party-advisory

Affected products

OPNsense

==19.1

Not present in nixpkgs

Suggestion detail

References

Affected products