CVE-2019-25379 in Express
Summary
by MITRE • 02/16/2026
Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains stored and reflected cross-site scripting vulnerabilities in the urlfilter.cgi endpoint that allow attackers to inject malicious scripts. Attackers can submit POST requests with script payloads in the REDIRECT_PAGE or CHILDREN parameters to execute arbitrary JavaScript in user browsers.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/18/2026
The vulnerability identified as CVE-2019-25379 affects Smoothwall Express version 3.1-SP4-polar-x86_64-update9, representing a critical cross-site scripting flaw that compromises web application security. This vulnerability manifests in both stored and reflected XSS categories, creating a particularly dangerous attack surface for the firewall appliance's web interface. The affected endpoint urlfilter.cgi serves as the primary vector for exploitation, where the application fails to properly sanitize user input before processing and rendering it within web responses.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding mechanisms within the Smoothwall web interface. Attackers can leverage POST requests to inject malicious JavaScript payloads through the REDIRECT_PAGE or CHILDREN parameters, which are processed by the urlfilter.cgi endpoint without adequate sanitization. When these parameters contain script code, the web application stores or reflects the malicious content directly into HTML responses, enabling execution of arbitrary JavaScript within the context of authenticated user sessions. This flaw operates under CWE-79 which specifically addresses cross-site scripting vulnerabilities through improper neutralization of input during web page generation.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to hijack user sessions, steal sensitive authentication tokens, and potentially escalate privileges within the firewall management interface. Since Smoothwall appliances typically require administrative access for configuration changes, successful exploitation could allow attackers to modify firewall rules, redirect traffic, or gain unauthorized access to network resources. The reflected nature of the vulnerability means that attackers can craft malicious URLs that, when clicked by victims, immediately execute scripts in their browsers without requiring persistent storage of malicious content.
The attack scenario typically involves an attacker sending crafted POST requests to the vulnerable urlfilter.cgi endpoint with malicious payloads embedded in the specified parameters. These requests can originate from external sources or be delivered through social engineering techniques targeting administrators who might click on malicious links. The stored aspect of the vulnerability occurs when the application accepts and persists these malicious inputs, making them available to other users who access the affected pages. This dual nature increases the attack surface significantly, as both immediate reflected attacks and persistent stored attacks can be executed against the system.
Organizations should implement immediate mitigations including input validation and output encoding at the web application level, ensuring that all user-supplied parameters undergo strict sanitization before being processed or rendered. Network segmentation and access controls should be strengthened to limit exposure of the vulnerable web interface to untrusted networks. Regular security updates and patches should be applied to ensure the appliance runs the latest secure version, while monitoring logs for suspicious activity related to the urlfilter.cgi endpoint. The vulnerability aligns with ATT&CK technique T1059.007 for command and script injection, and T1566 for phishing attacks that leverage XSS to deliver malicious payloads to victims.