CVE-2025-34172
MediumCVSS 6.1Exploitation Probability (EPSS)
Elevated risk58th percentile - higher than 58% of all known CVEs
Summary
In pfSense CE, the value of the showsticktablecontent parameter in /usr/local/www/haproxy/haproxy_stats.php is displayed after being read from HTTP GET requests. This enables reflected cross-site scripting when the victim is authenticated.
Risk Assessment
An attacker can exploit this vulnerability to execute a malicious script in the browser of an authenticated administrator, potentially leading to session theft, configuration changes, or other unauthorized actions.
Recommendation
Immediately update pfSense CE to the latest patched version and consider implementing input filtering for the showsticktablecontent parameter.
Original NVD description (English source)
In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. This can enable reflected cross-site scripting when the victim is authenticated.

