CVE Catalog

CVE-2025-34178

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

High risk
3.40%

87th percentile - higher than 87% of all known CVEs

Summary

In pfSense CE, in the file suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting (XSS). The attacker must be authenticated with at least 'WebCfg - Services: suricata package' permissions.

Risk Assessment

The risk is that an authenticated attacker can inject malicious scripts, potentially hijacking other administrators' sessions, stealing data, or performing unauthorized actions in the management interface.

Recommendation

Update the suricata package in pfSense CE to a version that fixes the validation of the policy_name parameter. Until the update, restrict access to the suricata service to trusted administrators only.

Original NVD description (English source)

In pfSense CE /suricata/suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS