CVE-2025-41357
Reflected XSS in Anon Proxy Server /diagdns.php Host Parameter
Publication date: 2026-03-31
Last updated on: 2026-04-07
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anonproxyserver | anon_proxy_server | 0.104 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Reflected Cross-Site Scripting (XSS) issue found in Anon Proxy Server version 0.104. It occurs in the 'host' parameter of the '/diagdns.php' endpoint. An attacker can exploit this by sending a malicious URL to a victim, causing the victim's browser to execute attacker-controlled JavaScript code.
This execution of malicious code can lead to unauthorized actions such as stealing sensitive user data like session cookies or performing actions on behalf of the user without their consent.
How can this vulnerability impact me? :
The impact of this vulnerability includes the potential theft of sensitive user information, such as session cookies, which can be used to hijack user sessions.
Additionally, attackers can perform unauthorized actions on behalf of the user, potentially leading to further compromise of user accounts or data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104 allows attackers to execute malicious JavaScript in a victim's browser, potentially stealing sensitive user data such as session cookies or performing unauthorized actions on behalf of the user.
Such unauthorized access and data theft can lead to violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information from unauthorized access and breaches.
Therefore, this vulnerability could negatively impact compliance with these standards by exposing user data to attackers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'host' parameter in the '/diagdns.php' endpoint for reflected Cross-Site Scripting (XSS) issues. One common method is to send a crafted URL containing JavaScript payloads in the 'host' parameter and observe if the payload is executed or reflected in the response.
- Use curl or similar tools to send requests with XSS payloads, for example: curl -v "http://target/diagdns.php?host=<script>alert(1)</script>"
- Monitor HTTP responses for reflected script tags or suspicious JavaScript code in the response body.
- Use web vulnerability scanners that support detection of reflected XSS vulnerabilities targeting specific parameters and endpoints.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update Anon Proxy Server to the latest version where this reflected XSS vulnerability has been fixed.
Additionally, applying input validation and output encoding on the 'host' parameter in the '/diagdns.php' endpoint can help prevent exploitation.
As a temporary measure, consider implementing web application firewall (WAF) rules to block malicious payloads targeting this parameter.