CVE-2025-34172
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-10-10

Assigner: VulnCheck

Description
In pfSense CEΒ /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. This can enable reflected cross-site scripting when the victim is authenticated.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-10-10
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34172
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pfsense pfsense to 2.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a reflected cross-site scripting (XSS) issue in the pfSense HAProxy package, specifically in the file /usr/local/www/haproxy/haproxy_stats.php. It occurs because the value of the 'showsticktablecontent' parameter from HTTP GET requests is displayed without proper encoding or validation. This allows an attacker to inject malicious scripts that are reflected back to an authenticated user, potentially leading to script execution in the user's browser. [1, 2]

Impact Analysis

If exploited, this vulnerability can allow an attacker to execute malicious scripts in the context of an authenticated user's browser session. This can lead to theft of session cookies, defacement, or other malicious actions performed on behalf of the user. Since the vulnerability requires the victim to be authenticated, it targets users with access to the pfSense HAProxy statistics page, potentially compromising administrative or monitoring functions. [1, 2]

Detection Guidance

This vulnerability can be detected by testing if the pfSense HAProxy statistics page (/usr/local/www/haproxy/haproxy_stats.php) improperly reflects the 'showsticktablecontent' GET parameter without proper encoding, which could allow reflected XSS. A practical detection method is to send HTTP GET requests to the vulnerable URL with a crafted 'showsticktablecontent' parameter containing a harmless script or HTML tag and observe if it is reflected unencoded in the response. For example, you can use curl or a browser to request: curl -i 'http://<pfSense-IP>/haproxy/haproxy_stats.php?showsticktablecontent=<script>alert(1)</script>' and check if the script tag appears in the response HTML unescaped. This indicates the presence of the vulnerability. [1, 2]

Mitigation Strategies

Immediate mitigation steps include updating the pfSense HAProxy package to the fixed versions where the vulnerability is patched. The fixed versions are pfSense Plus 25.07.1 and 25.07, and Community Edition 2.8.1 and 2.8.0. These updates include input validation and output sanitization to prevent reflected XSS. Until the update is applied, restrict access to the HAProxy statistics page to trusted users only, as the vulnerability requires authentication. Additionally, consider implementing web application firewall (WAF) rules to detect and block suspicious input patterns targeting the 'showsticktablecontent' parameter. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34172. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart