Home

Description

In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.

PUBLISHED Reserved 2025-04-15 | Published 2025-09-09 | Updated 2025-09-17 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status
unaffected

2.3.2_7 (custom)
affected

Credits

Alex Williams (Pellera Technologies) finder

References

github.com/...ommit/9e412edf62113303c36c7f7d5a48b0a3fb0be893 patch

redmine.pfsense.org/issues/16413 issue-tracking

www.vulncheck.com/...nse-ce-status-traffic-totals-stored-xss third-party-advisory

cve.org (CVE-2025-34174)

nvd.nist.gov (CVE-2025-34174)

Download JSON