Nixpkgs security tracker

Untriaged

Permalink CVE-2019-25368

5.4 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

OPNsense 19.1 Reflected XSS via diag_backup.php

OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions.

References

ExploitDB-46351 exploit
OPNsense Official Website product
OPNsense 19.1.1 Release Announcement patch
VulnCheck Advisory: OPNsense 19.1 Reflected XSS via diag_backup.php third-party-advisory

Affected products

OPNsense

==19.1

Matching in nixpkgs

pkgs.prometheus-opnsense-exporter

Prometheus exporter for opnsense firewall appliances

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.11
- nixos-25.11-small 0.0.11
- nixpkgs-25.11-darwin 0.0.11

pkgs.python312Packages.pyopnsense

Python client for the OPNsense API

nixos-25.11 0.4.0
- nixos-25.11-small 0.4.0
- nixpkgs-25.11-darwin 0.4.0

pkgs.python313Packages.pyopnsense

Python client for the OPNsense API

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0
nixos-25.11 0.4.0
- nixos-25.11-small 0.4.0
- nixpkgs-25.11-darwin 0.4.0

pkgs.python314Packages.pyopnsense

Python client for the OPNsense API

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0

pkgs.home-assistant-component-tests.opnsense

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.opnsense

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.1
- nixpkgs-unstable 2026.2.1
- nixos-unstable-small 2026.2.1

Package maintainers

@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@paepckehh Michael Paepcke <git@paepcke.de>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.prometheus-opnsense-exporter

pkgs.python312Packages.pyopnsense

pkgs.python313Packages.pyopnsense

pkgs.python314Packages.pyopnsense

pkgs.home-assistant-component-tests.opnsense

pkgs.tests.home-assistant-component-tests.opnsense

Package maintainers