CVE-2025-34178
MediumCVSS 5.4Exploitation Probability (EPSS)
High risk87th percentile - higher than 87% of all known CVEs
Summary
In pfSense CE, in the file suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting (XSS). The attacker must be authenticated with at least 'WebCfg - Services: suricata package' permissions.
Risk Assessment
The risk is that an authenticated attacker can inject malicious scripts, potentially hijacking other administrators' sessions, stealing data, or performing unauthorized actions in the management interface.
Recommendation
Update the suricata package in pfSense CE to a version that fixes the validation of the policy_name parameter. Until the update, restrict access to the suricata service to trusted administrators only.
Original NVD description (English source)
In pfSense CE /suricata/suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.

