CVE-2025-34174

Sažetak

In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.

Reference

https://github.com/pfsense/FreeBSD-ports/commit/9e412edf62113303c36c7f7d5a48b0a3fb0be893
https://redmine.pfsense.org/issues/16413
https://www.vulncheck.com/advisories/netgate-pf-sense-ce-status-traffic-totals-stored-xss

CVSS

Base:	5.4
Impact:	2.7
Exploitability:	2.3

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Zadnje važnije ažuriranje

10-10-2025 - 18:47

Objavljeno

09-09-2025 - 20:15