CVE-2025-34177
MediumCVSS 5.4Exploitation Probability (EPSS)
Elevated risk52th percentile - higher than 52% of all known CVEs
Summary
In pfSense CE, in the file suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting (XSS). The attacker must be authenticated with at least 'WebCfg - Services: suricata package' permissions.
Risk Assessment
The risk involves an authenticated user injecting a malicious script, potentially hijacking other administrators' sessions, stealing data, or performing unauthorized actions in the pfSense management interface.
Recommendation
Immediately update the Suricata package in pfSense CE to the latest version containing the security fix. Until the update, restrict access to the management interface to trusted users only.
Original NVD description (English source)
In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.

