CVE-2019-25368

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-25368
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-25368.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-25368
Published
2026-02-15T14:16:06.190Z
Modified
2026-03-10T22:31:46.467881Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diagbackup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDriveGDriveEmail, GDriveGDriveFolderID, GDriveGDriveBackupCount, Nextcloudurl, Nextclouduser, Nextcloudpassword, Nextcloudpasswordencryption, and Nextcloudbackupdir. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions.

References

Affected packages

Git / github.com/opnsense/core

Affected ranges

Type
GIT
Repo
https://github.com/opnsense/core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
33279d1d2410a4bfa2896efd2f033b8234396ad8
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "19.1"
        }
    ]
}

Affected versions

15.*
15.1
15.1.1
15.1.10
15.1.10.1
15.1.10.2
15.1.11
15.1.11.1
15.1.11.2
15.1.11.3
15.1.11.4
15.1.12
15.1.2
15.1.3
15.1.4
15.1.5
15.1.6
15.1.6.1
15.1.7
15.1.7.1
15.1.7.2
15.1.8
15.1.8.1
15.1.8.2
15.1.8.3
15.1.8.4
15.1.9
15.1.9.1
15.1.9.2
15.7
16.*
16.7.a
16.7.b
16.7.r
17.*
17.1.a
17.1.b
17.1.r
17.7.a
17.7.b
17.7.r
18.*
18.1.a
18.1.b
18.1.r
18.7.a
18.7.b
18.7.r
19.*
19.1.a
19.1.b
19.1.r

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-25368.json"