CVE-2019-25379
Stored and Reflected XSS in Smoothwall Express urlfilter.cgi
Publication date: 2026-02-16
Last updated on: 2026-02-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| smoothwall | smoothwall_express | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Smoothwall Express 3.1-SP4-polar-x86_64-update9 and involves stored and reflected cross-site scripting (XSS) flaws in the urlfilter.cgi endpoint and other CGI scripts. Attackers can send specially crafted POST requests containing malicious JavaScript payloads in parameters such as REDIRECT_PAGE or CHILDREN. Because these inputs are not properly sanitized, the malicious scripts can be injected and executed in the browsers of users accessing the affected web interface.
The XSS vulnerabilities allow attackers to run arbitrary JavaScript code within the context of the Smoothwall web interface, potentially compromising user sessions or causing other malicious effects.
How can this vulnerability impact me? :
This vulnerability can lead to attackers executing arbitrary JavaScript in the browsers of users interacting with the Smoothwall Express web interface. Such execution can result in session hijacking, where attackers steal user session tokens, defacement of the web interface, or other malicious actions that compromise the integrity and security of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending crafted HTTP POST requests to the urlfilter.cgi endpoint on port 81 of the Smoothwall Express 3.1-SP4-polar-x86_64-update9 system. The requests should include malicious script payloads in parameters such as REDIRECT_PAGE or CHILDREN to test for cross-site scripting (XSS) vulnerabilities.'}, {'type': 'paragraph', 'content': "For example, you can use curl commands to send POST requests with JavaScript payloads like `'><script>alert(1)</script>` in the vulnerable parameters and observe if the script executes or is reflected in the response."}, {'type': 'list_item', 'content': 'curl -X POST http://<target-ip>:81/urlfilter.cgi -d "REDIRECT_PAGE=\'><script>alert(1)</script>"'}, {'type': 'list_item', 'content': 'curl -X POST http://<target-ip>:81/urlfilter.cgi -d "CHILDREN=\'><script>alert(1)</script>"'}, {'type': 'paragraph', 'content': 'If the response or the web interface executes or reflects the injected script, it indicates the presence of the XSS vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the affected web interface, especially the urlfilter.cgi endpoint on port 81, to trusted users only.
Additionally, avoid using the vulnerable parameters (such as REDIRECT_PAGE and CHILDREN) with untrusted input and monitor for suspicious POST requests targeting these parameters.
Since the vulnerability arises from improper input sanitization, applying any available patches or updates from the vendor that address these XSS issues is critical.
If patches are not available, consider implementing web application firewall (WAF) rules to detect and block malicious script payloads in POST requests.