CVE-2025-34175
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-10-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pfsense | pfsense | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a reflected cross-site scripting (XSS) issue in the Suricata package of pfSense, specifically in the file /usr/local/www/suricata/suricata_filecheck.php. The 'filehash' parameter is reflected back to the user without proper sanitization or encoding of HTML-related characters. If an authenticated user visits a crafted URL containing malicious script in the 'filehash' parameter, the script can execute in their browser, potentially leading to unauthorized actions or data exposure. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform reflected cross-site scripting attacks against authenticated users of the pfSense Suricata interface. This means an attacker could execute arbitrary JavaScript in the context of the victim's browser session, potentially stealing session tokens, performing actions on behalf of the user, or delivering malicious payloads. The impact depends on the victim being authenticated and interacting with a maliciously crafted link. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a reflected cross-site scripting (XSS) issue in the Suricata package of pfSense, specifically in the file `/usr/local/www/suricata/suricata_filecheck.php` where the `filehash` parameter is not properly sanitized. Detection can involve monitoring HTTP requests to this endpoint for suspicious or malicious payloads in the `filehash` parameter. You can use web proxy logs or network traffic captures to look for requests containing script tags or encoded XSS payloads targeting this parameter. For example, using command-line tools like curl to test the endpoint with crafted inputs: `curl -i 'http://<pfsense-ip>/suricata/suricata_filecheck.php?filehash=<script>alert(1)</script>'` and observing if the script is reflected in the response without encoding. Additionally, web vulnerability scanners that test for reflected XSS can be used against this URL. Monitoring web server logs for unusual or suspicious query parameters in `filehash` can also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Suricata package on pfSense to the fixed versions where this vulnerability has been addressed. The fix involves proper input validation, output encoding (using htmlspecialchars), and URL encoding to prevent reflected XSS attacks. The patched versions are available for pfSense Plus versions 25.07.1 and 25.07, and Community Edition versions 2.8.1 and 2.8.0. If an immediate update is not possible, consider restricting access to the Suricata web interface to trusted users only, and avoid clicking on suspicious links containing the `filehash` parameter. Additionally, monitor and filter HTTP requests to the vulnerable endpoint to detect and block potential XSS payloads. Applying web application firewall (WAF) rules to sanitize or block malicious input targeting the `filehash` parameter can also help reduce risk until the patch is applied. [1, 2]