CVE-2019-25404
Stored XSS in Comodo Dome Firewall Admin Parameters
Publication date: 2026-02-19
Last updated on: 2026-02-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| comodo | dome_firewall | to 2.7.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25404 is a stored cross-site scripting (XSS) vulnerability in Comodo Dome Firewall version 2.7.0. It allows authenticated attackers to inject malicious scripts by submitting specially crafted input through admin management parameters.
Attackers can inject script payloads into the admin_name, name, and surname parameters via POST requests to the /korugan/admins endpoint. These scripts are stored on the server and executed when administrators access the affected interface, potentially leading to unauthorized script execution in the context of the admin user.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to unauthorized script execution within the administrator's interface of the Comodo Dome Firewall. An attacker who successfully exploits this flaw can execute malicious scripts in the context of an admin user, which may allow them to perform actions such as stealing sensitive information, manipulating firewall settings, or further compromising the system."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring POST requests to the /korugan/admins endpoint, specifically looking for suspicious or crafted input in the admin_name, name, and surname parameters.'}, {'type': 'paragraph', 'content': 'One way to detect potential exploitation attempts is to capture and analyze HTTP POST traffic targeting the /korugan/admins endpoint for unusual script payloads.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity could include using network traffic analysis tools like tcpdump or Wireshark to filter POST requests to the vulnerable endpoint.'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/korugan/admins'"}, {'type': 'list_item', 'content': 'Use a web application firewall (WAF) or intrusion detection system (IDS) to alert on POST requests containing script tags or suspicious payloads in the admin_name, name, or surname parameters.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /korugan/admins endpoint to trusted administrators only and ensuring that only authenticated users with proper privileges can access it.
Additionally, input validation and sanitization should be applied to the admin_name, name, and surname parameters to prevent script injection.
If possible, apply any available patches or updates from Comodo that address this vulnerability.
As a temporary measure, monitoring and blocking suspicious POST requests containing script payloads targeting the vulnerable parameters can reduce risk.