OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. Attackers can craft POST requests with script payloads in the value parameter to execute JavaScript in the context of authenticated user sessions.
PUBLISHED5.2CWE-79
OPNsense 19.1 Reflected XSS via system_advanced_sysctl.php
Problem type
Affected products
Opnsense
OPNsense
19.1 - AFFECTED
References
ExploitDB-46351
https://www.exploit-db.com/exploits/46351
OPNsense Official Website
https://opnsense.org
OPNsense 19.1.1 Release Announcement
https://forum.opnsense.org/index.php?topic=11469.0
VulnCheck Advisory: OPNsense 19.1 Reflected XSS via system_advanced_sysctl.php
https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-systemadvancedsysctlphp
JSON source
https://cveawg.mitre.org/api/cve/CVE-2019-25377Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2019-25377",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2026-02-15T13:58:58.193Z",
"dateReserved": "2026-02-15T13:24:15.625Z",
"datePublished": "2026-02-15T13:58:58.193Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2026-02-15T13:58:58.193Z"
},
"datePublic": "2019-02-01T00:00:00.000Z",
"title": "OPNsense 19.1 Reflected XSS via system_advanced_sysctl.php",
"descriptions": [
{
"lang": "en",
"value": "OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. Attackers can craft POST requests with script payloads in the value parameter to execute JavaScript in the context of authenticated user sessions."
}
],
"affected": [
{
"vendor": "Opnsense",
"product": "OPNsense",
"versions": [
{
"version": "19.1",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.exploit-db.com/exploits/46351",
"name": "ExploitDB-46351",
"tags": [
"exploit"
]
},
{
"url": "https://opnsense.org",
"name": "OPNsense Official Website",
"tags": [
"product"
]
},
{
"url": "https://forum.opnsense.org/index.php?topic=11469.0",
"name": "OPNsense 19.1.1 Release Announcement",
"tags": [
"patch"
]
},
{
"url": "https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-systemadvancedsysctlphp",
"name": "VulnCheck Advisory: OPNsense 19.1 Reflected XSS via system_advanced_sysctl.php",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS"
},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM"
}
}
],
"solutions": [
{
"lang": "en",
"value": "OPNsense 19.1.1 released"
}
],
"credits": [
{
"lang": "en",
"value": "Ozer Goker",
"type": "finder"
}
]
}
}
}