OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogACL parameter to execute arbitrary scripts in users' browsers.
PUBLISHED5.2CWE-79
OPNsense 19.1 Reflected XSS via proxy endpoint
Problem type
Affected products
Opnsense
OPNsense
19.1 - AFFECTED
References
ExploitDB-46351
https://www.exploit-db.com/exploits/46351
OPNsense Official Website
https://opnsense.org
OPNsense 19.1.1 Release Announcement
https://forum.opnsense.org/index.php?topic=11469.0
VulnCheck Advisory: OPNsense 19.1 Reflected XSS via proxy endpoint
https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-proxy-endpoint
JSON source
https://cveawg.mitre.org/api/cve/CVE-2019-25376Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2019-25376",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2026-02-15T13:58:57.461Z",
"dateReserved": "2026-02-15T13:21:11.254Z",
"datePublished": "2026-02-15T13:58:57.461Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2026-02-15T13:58:57.461Z"
},
"datePublic": "2019-02-01T00:00:00.000Z",
"title": "OPNsense 19.1 Reflected XSS via proxy endpoint",
"descriptions": [
{
"lang": "en",
"value": "OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogACL parameter to execute arbitrary scripts in users' browsers."
}
],
"affected": [
{
"vendor": "Opnsense",
"product": "OPNsense",
"versions": [
{
"version": "19.1",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.exploit-db.com/exploits/46351",
"name": "ExploitDB-46351",
"tags": [
"exploit"
]
},
{
"url": "https://opnsense.org",
"name": "OPNsense Official Website",
"tags": [
"product"
]
},
{
"url": "https://forum.opnsense.org/index.php?topic=11469.0",
"name": "OPNsense 19.1.1 Release Announcement",
"tags": [
"patch"
]
},
{
"url": "https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-proxy-endpoint",
"name": "VulnCheck Advisory: OPNsense 19.1 Reflected XSS via proxy endpoint",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS"
},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM"
}
}
],
"solutions": [
{
"lang": "en",
"value": "OPNsense 19.1.1 released"
}
],
"credits": [
{
"lang": "en",
"value": "Ozer Goker",
"type": "finder"
}
]
}
}
}