CVE-2025-34182
BaseFortify
Publication date: 2025-10-01
Last updated on: 2025-10-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| deciso | opnsense | 25.7.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Deciso OPNsense before version 25.7.4 occurs because the parameter 'ptpid' in the 'Interfaces: Devices: Point-to-Point' entry is not properly sanitized for HTML-related characters. When this parameter is displayed on the page interfaces_assign.php, it can lead to stored cross-site scripting (XSS). An attacker with at least 'Interfaces: PPPs: Edit' permission can exploit this by injecting malicious HTML or scripts that get stored and executed when the page is viewed.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker with certain permissions to execute stored cross-site scripting attacks. This can lead to unauthorized script execution in the context of the affected web interface, potentially allowing the attacker to steal session tokens, perform actions on behalf of other users, or manipulate the interface, thereby compromising the security and integrity of the system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Deciso OPNsense to version 25.7.4 or later where the issue has been fixed by properly escaping HTML characters in the ptpid parameter. Additionally, restrict access to users with "Interfaces: PPPs: Edit" permission to trusted personnel only.