Nixpkgs Security Tracker

Dismissed

Permalink CVE-2019-25376

6.1 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

updated 1 month, 1 week ago by @jopejoe1 Activity log

Created automatic suggestion 1 month, 1 week ago
@jopejoe1 removed
6 packages
- prometheus-opnsense-exporter
- python312Packages.pyopnsense
- python313Packages.pyopnsense
- python314Packages.pyopnsense
- home-assistant-component-tests.opnsense
- tests.home-assistant-component-tests.opnsense
1 month, 1 week ago
@jopejoe1 dismissed 1 month, 1 week ago

OPNsense 19.1 Reflected XSS via proxy endpoint

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogACL parameter to execute arbitrary scripts in users' browsers.

References

ExploitDB-46351 exploit
OPNsense Official Website product
OPNsense 19.1.1 Release Announcement patch
VulnCheck Advisory: OPNsense 19.1 Reflected XSS via proxy endpoint third-party-advisory
ExploitDB-46351 exploit
OPNsense Official Website product
OPNsense 19.1.1 Release Announcement patch
VulnCheck Advisory: OPNsense 19.1 Reflected XSS via proxy endpoint third-party-advisory

Affected products

OPNsense

==19.1

Not present in nixpkgs

Suggestion detail

References

Affected products