CVE-2025-34178

Netgate pfSense CE Suricata package v7.0.8_2 Stored Cross-Site Scripting

Description

In pfSense CE /suricata/suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.

INFO

Published Date :

2025-09-09T20:23:44.475Z

Last Modified :

2025-11-20T12:22:56.508Z

Source :

VulnCheck

AFFECTED PRODUCTS

The following products are affected by CVE-2025-34178 vulnerability.

Vendors	Products
Netgate	Pfsense Ce Pfsense Plus
Pfsense	Pfsense

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-34178.

URL	Resource
https://github.com/pfsense/FreeBSD-ports/commit/97852ccfd201b24ee542be30af81272485fde0b4
https://redmine.pfsense.org/issues/16414
https://www.vulncheck.com/advisories/netgate-pf-sense-ce-suricata-package-stored-xss

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact