CVE-2025-34174

Source
https://cve.org/CVERecord?id=CVE-2025-34174
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-34174.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-34174
Published
2025-09-09T20:02:05.701Z
Modified
2026-07-08T07:04:16.583532269Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator
Summary
Netgate pfSense CE Status_Traffic_Totals Package v2.3.2_7 Stored Cross-Site Scripting
Details

In pfSense CEĀ /usr/local/www/statustraffictotals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.

Database specific
{
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-79"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "2.3.2_7"
                },
                {
                    "last_affected": "2.3.2_7"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/34xxx/CVE-2025-34174.json"
}
References

Affected packages

Git / github.com/pfsense/freebsd-ports

Affected ranges

Type
GIT
Repo
https://github.com/pfsense/freebsd-ports
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

Other
END-OF-2015Q4
devel_before_hashes_changed

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-34174.json"