CVE Catalog

CVE-2025-34177

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.79%

52th percentile - higher than 52% of all known CVEs

Summary

In pfSense CE, in the file suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting (XSS). The attacker must be authenticated with at least 'WebCfg - Services: suricata package' permissions.

Risk Assessment

The risk involves an authenticated user injecting a malicious script, potentially hijacking other administrators' sessions, stealing data, or performing unauthorized actions in the pfSense management interface.

Recommendation

Immediately update the Suricata package in pfSense CE to the latest version containing the security fix. Until the update, restrict access to the management interface to trusted users only.

Original NVD description (English source)

In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS