CVE-2025-34172
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-10-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pfsense | pfsense | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a reflected cross-site scripting (XSS) issue in the pfSense HAProxy package, specifically in the file /usr/local/www/haproxy/haproxy_stats.php. It occurs because the value of the 'showsticktablecontent' parameter from HTTP GET requests is displayed without proper encoding or validation. This allows an attacker to inject malicious scripts that are reflected back to an authenticated user, potentially leading to script execution in the user's browser. [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute malicious scripts in the context of an authenticated user's browser session. This can lead to theft of session cookies, defacement, or other malicious actions performed on behalf of the user. Since the vulnerability requires the victim to be authenticated, it targets users with access to the pfSense HAProxy statistics page, potentially compromising administrative or monitoring functions. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if the pfSense HAProxy statistics page (/usr/local/www/haproxy/haproxy_stats.php) improperly reflects the 'showsticktablecontent' GET parameter without proper encoding, which could allow reflected XSS. A practical detection method is to send HTTP GET requests to the vulnerable URL with a crafted 'showsticktablecontent' parameter containing a harmless script or HTML tag and observe if it is reflected unencoded in the response. For example, you can use curl or a browser to request: curl -i 'http://<pfSense-IP>/haproxy/haproxy_stats.php?showsticktablecontent=<script>alert(1)</script>' and check if the script tag appears in the response HTML unescaped. This indicates the presence of the vulnerability. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the pfSense HAProxy package to the fixed versions where the vulnerability is patched. The fixed versions are pfSense Plus 25.07.1 and 25.07, and Community Edition 2.8.1 and 2.8.0. These updates include input validation and output sanitization to prevent reflected XSS. Until the update is applied, restrict access to the HAProxy statistics page to trusted users only, as the vulnerability requires authentication. Additionally, consider implementing web application firewall (WAF) rules to detect and block suspicious input patterns targeting the 'showsticktablecontent' parameter. [1, 2]