CVE-2019-25376

OPNsense 19.1 Reflected XSS via proxy endpoint

CVSS 5.1 MEDIUMEPSS 0.4%CWE-79

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 5.1EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

15 fev 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogACL parameter to execute arbitrary scripts in users' browsers.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Produtos afetados

Opnsense · OPNsense

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://forum.opnsense.org/index.php?topic=11469.0 https://opnsense.org https://www.exploit-db.com/exploits/46351 https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-proxy-endpoint