Nixpkgs security tracker

Untriaged

Permalink CVE-2019-25374

6.1 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

OPNsense 19.1 Reflected XSS via vpn_ipsec_settings.php

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough_networks parameter in vpn_ipsec_settings.php. Attackers can craft POST requests with JavaScript payloads in the passthrough_networks parameter to execute arbitrary code in users' browsers.

References

ExploitDB-46351 exploit
OPNsense Official Website product
OPNsense 19.1.1 Release Announcement patch
VulnCheck Advisory: OPNsense 19.1 Reflected XSS via vpn_ipsec_settings.php third-party-advisory

Affected products

OPNsense

==19.1

Matching in nixpkgs

pkgs.prometheus-opnsense-exporter

Prometheus exporter for opnsense firewall appliances

nixos-unstable 0.0.12
- nixpkgs-unstable 0.0.12
- nixos-unstable-small 0.0.12
nixos-25.11 0.0.11
- nixos-25.11-small 0.0.11
- nixpkgs-25.11-darwin 0.0.11

pkgs.python312Packages.pyopnsense

Python client for the OPNsense API

nixos-25.11 0.4.0
- nixos-25.11-small 0.4.0
- nixpkgs-25.11-darwin 0.4.0

pkgs.python313Packages.pyopnsense

Python client for the OPNsense API

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0
nixos-25.11 0.4.0
- nixos-25.11-small 0.4.0
- nixpkgs-25.11-darwin 0.4.0

pkgs.python314Packages.pyopnsense

Python client for the OPNsense API

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0

pkgs.home-assistant-component-tests.opnsense

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.opnsense

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.1
- nixpkgs-unstable 2026.2.1
- nixos-unstable-small 2026.2.1

Package maintainers

@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@paepckehh Michael Paepcke <git@paepcke.de>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.prometheus-opnsense-exporter

pkgs.python312Packages.pyopnsense

pkgs.python313Packages.pyopnsense

pkgs.python314Packages.pyopnsense

pkgs.home-assistant-component-tests.opnsense

pkgs.tests.home-assistant-component-tests.opnsense

Package maintainers