CVE-2025-34174Cross-site Scripting in Pfsense

CWE-79Cross-site Scripting2 documents2 sources
Severity
5.1MEDIUMNVD
EPSS
0.0%
top 91.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
PfsenseNetgate Pfsense CE
Timeline
PublishedSep 9

Description

In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Affected Packages2 packages

NVDpfsense/pfsense< 2.8.0
CVEListV5netgate/pfsense_ce2.3.2_7

Patches

Patch: github.com

🔴Vulnerability Details

1
GHSA
GHSA-6p4q-ch45-w85q: In pfSense CE /usr/local/www/status_traffic_totals2025-09-09
CVE-2025-34174 — Cross-site Scripting in Pfsense | cvebase