CVE-2025-34174
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-10-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pfsense | pfsense | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in the pfSense Status_Traffic_Totals package. Specifically, the 'start-day' parameter in the /usr/local/www/status_traffic_totals.php file is not validated or sanitized before being displayed back to users. An attacker with at least 'WebCfg - Status: Traffic Totals' permissions can inject malicious HTML or script code into this parameter, which is then saved and displayed to all users visiting the Status Traffic Totals page, leading to stored XSS attacks. [1]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to execute arbitrary scripts in the browsers of users who visit the affected Status Traffic Totals page. This can lead to session hijacking, defacement, or other malicious actions performed on behalf of the victim user. Since the malicious code is stored and displayed to all users, it can affect multiple users and compromise the integrity and security of the pfSense web interface. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the 'start-day' parameter in the /usr/local/www/status_traffic_totals.php page accepts non-numeric or HTML-related characters without validation, which could indicate the presence of the stored XSS vulnerability. To detect exploitation attempts or presence, you can monitor HTTP requests to this page for suspicious 'start-day' parameter values containing script tags or HTML. For example, using command-line tools like curl or grep: 1) Use curl to send a request with a test XSS payload in the 'start-day' parameter and observe if it is reflected unsanitized: curl -i -X POST -d "start-day=<script>alert(1)</script>" https://your-pfsense/status_traffic_totals.php 2) Use grep or similar tools on web server logs to find requests with suspicious 'start-day' values: grep "start-day=<script" /var/log/nginx/access.log or /var/log/httpd/access_log 3) Additionally, check the configuration or saved defaults for the 'start-day' parameter to see if any malicious values are stored. These steps help detect if the vulnerability is present or exploited on your system. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the pfSense Status_Traffic_Totals package to a fixed version where input validation is enforced. Specifically, upgrade to pfSense Plus versions 25.07.1 or 25.07, or Community Edition versions 2.8.1 or 2.8.0 or later, where the vulnerability has been patched. The patch enforces strict validation on the 'start-day' parameter and other inputs to prevent stored XSS. Additionally, restrict access to the Status Traffic Totals page to only trusted authenticated users with necessary permissions, and monitor for suspicious input values. If an update is not immediately possible, consider disabling or restricting access to the affected page as a temporary workaround. [1, 2]