CVE-2025-41356
Reflected XSS in Anon Proxy Server /diagconnect.php Host Parameter
Publication date: 2026-03-31
Last updated on: 2026-04-07
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anonproxyserver | anon_proxy_server | 0.104 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-41356 is a reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server version 0.104. It occurs in the 'host' parameter of the '/diagconnect.php' endpoint. This vulnerability allows an attacker to execute arbitrary JavaScript code in the victim's browser by sending a malicious URL.
The attacker can exploit this flaw to steal sensitive user data such as session cookies or perform unauthorized actions on behalf of the user.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious JavaScript code in your browser when you click on a specially crafted URL.
As a result, attackers may steal sensitive information like session cookies, which can lead to account hijacking or impersonation.
Additionally, attackers could perform actions on your behalf without your consent, potentially compromising your security and privacy.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'host' parameter in the '/diagconnect.php' endpoint for reflected Cross-Site Scripting (XSS) issues.
One way to detect it is by sending a crafted HTTP request with a malicious JavaScript payload in the 'host' parameter and observing if the payload is reflected and executed in the response.
For example, you can use curl to send a test request like:
- curl -i "http://[target]/diagconnect.php?host=<script>alert('XSS')</script>"
If the response contains the injected script without proper encoding or sanitization, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update Anon Proxy Server to the latest version where this reflected XSS issue has been fixed.
Additionally, avoid clicking on or sharing suspicious URLs containing untrusted input in the 'host' parameter.
Implement input validation and output encoding on the server side to prevent execution of malicious scripts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104 allows attackers to execute arbitrary JavaScript code in a victim's browser, potentially leading to theft of sensitive user data such as session cookies or unauthorized actions on behalf of the user.
Such unauthorized access and data theft could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Therefore, exploitation of this vulnerability could result in violations of data protection requirements mandated by these regulations.