Stored Cross-Site Scripting in pfSense by Electric Sheep Fencing
CVE-2025-34174

5.1MEDIUM

Key Information:

Vendor

Netgate

Status
Pfsense Ce
Vendor
CVE Published:
9 September 2025

What is CVE-2025-34174?

In pfSense, the Traffic Totals page does not properly sanitize the 'start-day' parameter, which can allow an authenticated attacker to inject HTML and JavaScript content. This unsanitized input is saved and displayed to all users visiting the page, creating a vector for stored cross-site scripting attacks. Users with 'WebCfg - Status: Traffic Totals' permissions are particularly at risk, as their interactions could lead to the execution of malicious scripts.

Affected Version(s)

pfSense CE 2.3.2_7

References

https://github.com/pfsense/FreeBSD-ports/commit/9e412edf6...
patch
https://redmine.pfsense.org/issues/16413
issue-tracking
https://www.vulncheck.com/advisories/netgate-pf-sense-ce-...
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alex Williams (Pellera Technologies)
JSON
.