CVE-2019-25371 in OPNsenseinfo

Summary

by MITRE • 02/15/2026

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. Attackers can submit crafted POST requests to the diag_ping.php endpoint with script payloads in the host parameter to execute arbitrary JavaScript in users' browsers.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/20/2026

The vulnerability identified as CVE-2019-25371 represents a critical reflected cross-site scripting flaw within OPNsense version 19.1, specifically affecting the diag_ping.php web interface component. This vulnerability resides in the application's insufficient input validation mechanisms, particularly concerning the host parameter handling within the diagnostic ping functionality. The flaw enables unauthenticated attackers to exploit the web application by crafting malicious POST requests that target the diag_ping.php endpoint, thereby injecting malicious scripts that execute within the context of other users' browsers. The vulnerability demonstrates characteristics consistent with CWE-79, which defines cross-site scripting as a security flaw that allows attackers to inject client-side scripts into web applications viewed by other users. The attack vector specifically leverages the lack of proper sanitization of user-supplied input, creating a pathway for malicious code execution in the victim's browser environment.

The technical exploitation of this vulnerability requires minimal prerequisites as attackers need only send crafted POST requests to the vulnerable endpoint without requiring authentication credentials or privileged access. The host parameter serves as the primary injection point where malicious scripts can be embedded, and when the application processes these inputs without adequate validation or sanitization, the reflected XSS occurs. The reflected nature of this vulnerability means that the malicious payload is immediately reflected back to the user's browser through the application's response, making the attack immediate and potentially devastating. The attack follows the typical ATT&CK technique T1566.001, which describes social engineering through spearphishing attachments, where the malicious script execution occurs in the victim's browser context. This vulnerability specifically targets the web application's user interface components, making it particularly dangerous as it can compromise user sessions, steal cookies, redirect users to malicious sites, or even facilitate more sophisticated attacks such as credential theft or session hijacking.

The operational impact of CVE-2019-25371 extends beyond simple script execution, as it can lead to complete session compromise and unauthorized access to the OPNsense management interface. When users interact with the ping diagnostic tool, their browsers execute the injected JavaScript code, potentially allowing attackers to steal session tokens, modify user interface elements, or redirect users to malicious domains. The vulnerability affects all users who access the diag_ping.php endpoint, including administrators, making it particularly concerning for network security administrators who rely on the application's diagnostic tools. The reflected nature of the vulnerability means that successful exploitation requires user interaction with the malicious payload, typically through phishing emails or compromised web pages that direct users to the vulnerable endpoint. Organizations running OPNsense 19.1 are particularly at risk as the vulnerability exists in the core application functionality and affects the fundamental security posture of the firewall management interface.

Mitigation strategies for CVE-2019-25371 should prioritize immediate patching of affected OPNsense installations to version 19.1.1 or later, which contains the necessary input validation fixes. Network administrators should implement additional defensive measures including web application firewalls that can detect and block malicious payloads targeting the diag_ping.php endpoint, and proper input sanitization at the application layer. The implementation of Content Security Policy headers can provide additional protection against script execution, though this serves as a supplementary defense rather than a complete solution. Regular security audits and input validation testing should be conducted to identify similar vulnerabilities in other application components. The vulnerability highlights the importance of proper input validation and output encoding practices in web applications, aligning with security best practices outlined in OWASP Top 10 and the CWE hierarchy that categorizes XSS vulnerabilities under the broader category of input validation failures. Organizations should also implement user education programs to recognize potential phishing attempts that might lead to exploitation of this vulnerability, as the attack requires user interaction with malicious payloads. The remediation process should include thorough testing of patched installations to ensure that the vulnerability has been properly addressed without introducing regressions in the ping diagnostic functionality.

Responsible

VulnCheck

Reservation

02/15/2026

Disclosure

02/15/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00241

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!