In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.
References
| Link | Resource |
|---|---|
| https://github.com/pfsense/FreeBSD-ports/commit/9e412edf62113303c36c7f7d5a48b0a3fb0be893 | Patch |
| https://redmine.pfsense.org/issues/16413 | Issue Tracking |
| https://www.vulncheck.com/advisories/netgate-pf-sense-ce-status-traffic-totals-stored-xss | Third Party Advisory |
Configurations
History
10 Oct 2025, 18:47
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Pfsense
Pfsense pfsense |
|
| CPE | cpe:2.3:a:pfsense:pfsense:*:*:*:*:community:*:*:* | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
| References | () https://github.com/pfsense/FreeBSD-ports/commit/9e412edf62113303c36c7f7d5a48b0a3fb0be893 - Patch | |
| References | () https://redmine.pfsense.org/issues/16413 - Issue Tracking | |
| References | () https://www.vulncheck.com/advisories/netgate-pf-sense-ce-status-traffic-totals-stored-xss - Third Party Advisory |
17 Sep 2025, 18:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
09 Sep 2025, 20:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-09-09 20:15
Updated : 2025-10-10 18:47
NVD link : CVE-2025-34174
Mitre link : CVE-2025-34174
CVE.ORG link : CVE-2025-34174
JSON object : View
Products Affected
pfsense
- pfsense
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')