Reflected Cross-Site Scripting Vulnerability in pfSense by Netgate
CVE-2025-34172

4.8MEDIUM

Key Information:

Vendor

Netgate

Status
Pfsense Ce
Vendor
CVE Published:
9 September 2025

What is CVE-2025-34172?

The vulnerability found in pfSense CE allows an authenticated user to trigger a reflected cross-site scripting (XSS) attack through the 'showsticktablecontent' parameter in the haproxy_stats.php file. When this parameter is manipulated via HTTP GET requests, it can result in malicious scripts being executed in the context of the user's browser, potentially leading to unauthorized actions or data exposure. Users are advised to apply available patches to mitigate this security risk.

Affected Version(s)

pfSense CE 0.63_10

References

https://github.com/pfsense/FreeBSD-ports/commit/04d1328ab...
patch
https://redmine.pfsense.org/issues/16411
issue-tracking
https://www.vulncheck.com/advisories/netgate-pf-sense-ce-...
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alex Williams (Pellera Technologies)
JSON
.