CVE-2019-25376 in OPNsenseinfo

Summary

by MITRE • 02/15/2026

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogACL parameter to execute arbitrary scripts in users' browsers.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 02/20/2026

This vulnerability exists within OPNsense version 19.1, a popular open-source firewall and router operating system that provides web-based management interfaces. The reflected cross-site scripting flaw specifically targets the proxy endpoint functionality where the ignoreLogACL parameter is processed without adequate input sanitization or output encoding. This weakness allows unauthenticated attackers to exploit the system by crafting malicious POST requests that contain JavaScript payloads within the ignoreLogACL parameter. The vulnerability represents a critical security risk as it enables remote code execution within victim browsers without requiring any authentication credentials or privileged access to the system.

The technical implementation of this vulnerability stems from improper validation and sanitization of user-supplied input within the web application layer. When the system processes the ignoreLogACL parameter, it fails to properly encode or escape the input before returning it to the user's browser context. This creates an environment where attacker-controlled data can be executed as JavaScript code within the victim's browser session. The reflected nature of this XSS vulnerability means that the malicious payload is immediately reflected back to the user without being stored on the server, making it particularly challenging to detect and prevent through traditional security measures. The attack vector specifically leverages the proxy endpoint functionality, which is commonly used for managing network traffic and access control policies within firewall systems.

The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with the capability to perform session hijacking, data theft, and privilege escalation within the browser context. An attacker could potentially steal user session cookies, redirect victims to malicious websites, or inject additional malicious code to establish persistent access to the victim's browser environment. This vulnerability particularly affects users who access the OPNsense web interface through potentially untrusted networks or who may be browsing while logged into the firewall management system. The unauthenticated nature of the attack means that any user who accesses the vulnerable proxy endpoint could be compromised, regardless of their authentication status or role within the system. The implications are significant for network administrators who rely on OPNsense for their security infrastructure, as compromised browser sessions could lead to unauthorized access to network configuration settings and traffic management controls.

Organizations should immediately implement multiple layers of defense to protect against this vulnerability. The primary mitigation involves updating to OPNsense version 19.1_1 or later, which includes patched code that properly sanitizes the ignoreLogACL parameter through input validation and output encoding techniques. Network administrators should also implement web application firewalls that can detect and block suspicious POST requests containing known XSS patterns, particularly targeting the proxy endpoint and ignoreLogACL parameter combinations. Additionally, implementing content security policies and disabling unnecessary proxy functionality where possible can reduce the attack surface. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a technique commonly documented in ATT&CK framework under T1059.007 for scripting languages and T1566 for social engineering through malicious web content, making it a critical concern for both defensive and offensive security teams.

Responsible

VulnCheck

Reservation

02/15/2026

Disclosure

02/15/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00363

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!