CVE-2019-25375 in OPNsenseinfo

Summary

by MITRE • 02/15/2026

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the mailserver parameter. Attackers can send POST requests to the monit interface with JavaScript payloads in the mailserver parameter to execute arbitrary code in users' browsers.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/20/2026

The vulnerability identified as CVE-2019-25375 represents a critical reflected cross-site scripting flaw within OPNsense version 19.1 operating system. This security weakness resides in the system's handling of user input through the monit interface, specifically targeting the mailserver parameter that processes POST requests. The vulnerability enables unauthenticated attackers to exploit the web application's failure to properly validate and sanitize input data, creating a pathway for malicious script injection that can compromise user browser sessions.

The technical implementation of this vulnerability stems from insufficient input validation and output sanitization mechanisms within the OPNsense monit interface. When the system processes POST requests containing malicious payloads in the mailserver parameter, it fails to properly encode or escape special characters that could be interpreted as executable JavaScript code. This reflected XSS vulnerability operates by injecting malicious scripts that are immediately reflected back to the victim's browser without being stored on the server, making it particularly dangerous as it requires no persistent storage of malicious content. The flaw directly aligns with CWE-79, which categorizes cross-site scripting vulnerabilities as weaknesses in web applications that fail to properly validate or escape user-supplied data before incorporating it into dynamically generated content.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities within users' browser contexts. Successful exploitation allows threat actors to hijack user sessions, steal authentication tokens, redirect users to malicious websites, or even execute arbitrary code within the victim's browser environment. The unauthenticated nature of this attack means that any user accessing the affected OPNsense interface could be compromised simply by submitting the malicious POST request, potentially affecting system administrators, network operators, or other authorized users who might interact with the monit interface. This vulnerability particularly threatens the integrity of the system's administrative interface, as it could enable attackers to gain unauthorized access to sensitive system information or perform privileged actions through session hijacking.

Organizations utilizing OPNsense 19.1 should prioritize immediate remediation through official security patches provided by the OPNsense development team, as this vulnerability represents a significant risk to network security infrastructure. The mitigation strategy should include comprehensive input validation for all parameters within the monit interface, implementation of proper output encoding mechanisms, and deployment of web application firewalls that can detect and block suspicious script injection attempts. Additionally, network administrators should consider implementing strict access controls to limit exposure of the monit interface to trusted users only, while monitoring for anomalous POST requests that may indicate exploitation attempts. The vulnerability also highlights the importance of regular security assessments and vulnerability scanning of network infrastructure components, as reflected XSS flaws often indicate broader input validation weaknesses that may affect other system components. This issue aligns with ATT&CK technique T1059.007 for scripting and T1566.001 for malicious file execution, demonstrating how such vulnerabilities can serve as initial access vectors for more sophisticated attack chains.

Responsible

VulnCheck

Reservation

02/15/2026

Disclosure

02/15/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00360

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!