CVE-2025-34172

CVE Database · CVE-2025-34172

CVE-2025-34172

· MEDIUMAnalyzed

CVSS v3.1

6.1

CVSS v4.0

4.8

EPSS

0.96%

Published

Sep 9, 2025

Modified

Oct 10, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. This can enable reflected cross-site scripting when the victim is authenticated.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses (CWE)

CWE-79

Affected Products (1)

pfsense · pfsense (up to 2.8.0)vulnerable

References (3)

https://github.com/pfsense/FreeBSD-ports/commit/04d1328ab077830eb57a24bb7018c812b6358c64

Patch

https://redmine.pfsense.org/issues/16411

Issue Tracking

https://www.vulncheck.com/advisories/netgate-pf-sense-ce-ha-proxy-reflected-xss

Third Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs