CVE Catalog

CVE-2025-34172

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.96%

58th percentile - higher than 58% of all known CVEs

Summary

In pfSense CE, the value of the showsticktablecontent parameter in /usr/local/www/haproxy/haproxy_stats.php is displayed after being read from HTTP GET requests. This enables reflected cross-site scripting when the victim is authenticated.

Risk Assessment

An attacker can exploit this vulnerability to execute a malicious script in the browser of an authenticated administrator, potentially leading to session theft, configuration changes, or other unauthorized actions.

Recommendation

Immediately update pfSense CE to the latest patched version and consider implementing input filtering for the showsticktablecontent parameter.

Original NVD description (English source)

In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. This can enable reflected cross-site scripting when the victim is authenticated.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS