← Back
2026-02-15 13:58CVE-2019-25375VulnCheck
PUBLISHED5.2CWE-79

OPNsense 19.1 Reflected XSS via monit interface

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. Attackers can send POST requests to the monit interface with JavaScript payloads in the mailserver parameter to execute arbitrary code in users' browsers.

Problem type

Affected products

Opnsense

OPNsense

19.1 - AFFECTED

References

ExploitDB-46351

https://www.exploit-db.com/exploits/46351

exploit
OPNsense Official Website

https://opnsense.org

product
OPNsense 19.1.1 Release Announcement

https://forum.opnsense.org/index.php?topic=11469.0

patch
VulnCheck Advisory: OPNsense 19.1 Reflected XSS via monit interface

https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-monit-interface

third-party-advisory

GitHub Security Advisories

GHSA-6333-cc9f-9589

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated...

https://github.com/advisories/GHSA-6333-cc9f-9589

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. Attackers can send POST requests to the monit interface with JavaScript payloads in the mailserver parameter to execute arbitrary code in users' browsers.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2019-25375

forum.opnsense.org

https://forum.opnsense.org/index.php?topic=11469.0

opnsense.org

https://opnsense.org

exploit-db.com

https://www.exploit-db.com/exploits/46351

vulncheck.com

https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-monit-interface

github.com

https://github.com/advisories/GHSA-6333-cc9f-9589

JSON source

https://cveawg.mitre.org/api/cve/CVE-2019-25375
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2019-25375",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-02-15T13:58:56.731Z",
    "dateReserved": "2026-02-15T13:21:00.205Z",
    "datePublished": "2026-02-15T13:58:56.731Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-02-15T13:58:56.731Z"
      },
      "datePublic": "2019-02-01T00:00:00.000Z",
      "title": "OPNsense 19.1 Reflected XSS via monit interface",
      "descriptions": [
        {
          "lang": "en",
          "value": "OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. Attackers can send POST requests to the monit interface with JavaScript payloads in the mailserver parameter to execute arbitrary code in users' browsers."
        }
      ],
      "affected": [
        {
          "vendor": "Opnsense",
          "product": "OPNsense",
          "versions": [
            {
              "version": "19.1",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.exploit-db.com/exploits/46351",
          "name": "ExploitDB-46351",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "https://opnsense.org",
          "name": "OPNsense Official Website",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://forum.opnsense.org/index.php?topic=11469.0",
          "name": "OPNsense 19.1.1 Release Announcement",
          "tags": [
            "patch"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-monit-interface",
          "name": "VulnCheck Advisory: OPNsense 19.1 Reflected XSS via monit interface",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "REQUIRED",
            "scope": "CHANGED",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "OPNsense 19.1.1 released"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Ozer Goker",
          "type": "finder"
        }
      ]
    }
  }
}