CVE-2019-25370 Overview
CVE-2019-25370 is a reflected cross-site scripting (XSS) vulnerability affecting OPNsense 19.1, an open-source firewall and routing platform. The flaw resides in the interfaces_vlan_edit.php endpoint, which fails to properly sanitize the tag, descr, and vlanif POST parameters before reflecting them into the response. Attackers can craft malicious requests containing JavaScript payloads to execute arbitrary script code in the browser of an authenticated administrator. Successful exploitation can lead to session theft, configuration tampering, or pivoting into the firewall management interface. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Reflected XSS in the OPNsense VLAN configuration page enables attackers to execute arbitrary JavaScript in an administrator's session, potentially exposing firewall management functionality.
Affected Products
- OPNsense 19.1
- interfaces_vlan_edit.php web management component
- Deployments exposing the OPNsense web GUI to untrusted networks
Discovery Timeline
- 2026-02-15 - CVE-2019-25370 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2019-25370
Vulnerability Analysis
The vulnerability exists in the OPNsense web administration interface, specifically in the VLAN edit page. When a user submits a POST request to interfaces_vlan_edit.php, the application reflects the values of the tag, descr, and vlanif parameters into the rendered HTML response without adequate output encoding. An attacker who can convince an authenticated administrator to submit a crafted request, for example through a malicious link or auto-submitting form, can inject JavaScript that executes within the firewall's management origin.
Because the OPNsense GUI typically runs with elevated administrative privileges, script execution in this context provides access to firewall configuration, firewall rules, VPN settings, and credentials managed through the interface. The reflected nature of the issue requires user interaction, which is reflected in the CVSS UI:A metric.
Root Cause
The root cause is missing or insufficient output encoding of user-controlled POST parameters before they are written into HTML responses. The handler in interfaces_vlan_edit.php echoes input back to the browser without applying contextual escaping appropriate for HTML attribute or element contexts, allowing <script> payloads and event-handler attributes to render as executable code.
Attack Vector
Exploitation requires an authenticated administrator to visit an attacker-controlled page or click a crafted link that issues a POST request to the vulnerable endpoint. The attacker hosts a page containing an auto-submitting HTML form targeting interfaces_vlan_edit.php on the victim's OPNsense instance, with payloads placed in the tag, descr, or vlanif fields. Refer to the VulnCheck OPNsense Advisory and Exploit-DB #46351 for technical specifics.
// No verified exploit code is reproduced here. See the linked
// Exploit-DB and VulnCheck advisories for technical proof-of-concept details.
Detection Methods for CVE-2019-25370
Indicators of Compromise
- POST requests to interfaces_vlan_edit.php containing <script>, onerror=, onload=, or javascript: substrings in the tag, descr, or vlanif parameters.
- Web server access logs showing referrers from external or unexpected domains immediately preceding POST submissions to the VLAN edit endpoint.
- Unexpected administrative configuration changes following an administrator browsing session.
Detection Strategies
- Inspect HTTP request bodies sent to the OPNsense GUI for HTML tags and JavaScript event handlers in VLAN parameters.
- Deploy a Web Application Firewall (WAF) rule that blocks reflected XSS payload patterns targeting interfaces_vlan_edit.php.
- Correlate administrator authentication events with subsequent configuration mutation events to detect unauthorized changes triggered via XSS.
Monitoring Recommendations
- Enable verbose access logging on the OPNsense GUI and forward logs to a centralized SIEM for parameter-level inspection.
- Alert on any GUI requests originating from non-management network segments.
- Monitor for browser console errors or Content Security Policy (CSP) violation reports indicating injected script execution.
How to Mitigate CVE-2019-25370
Immediate Actions Required
- Upgrade OPNsense to a version later than 19.1 that includes input sanitization fixes for the VLAN edit handler.
- Restrict access to the OPNsense web management interface to trusted management networks only.
- Require administrators to use dedicated, hardened browsers for firewall administration and to log out of unrelated web sessions.
Patch Information
No specific patch identifier is listed in the NVD entry. Administrators should consult the OPNsense Forum Topic and the OPNsense Official Website for the latest stable release that supersedes 19.1 and addresses this issue.
Workarounds
- Place the OPNsense GUI behind a reverse proxy or VPN that enforces strict source IP filtering.
- Enforce a strict Content Security Policy on the management interface to limit inline script execution.
- Disable concurrent browsing of untrusted sites while administering the firewall, mitigating the user-interaction requirement of the attack.
# Example: restrict OPNsense GUI access to a management subnet via firewall rule
# Allow only 10.0.0.0/24 (management LAN) to reach the GUI on TCP/443
block in quick on wan proto tcp to (self) port 443
pass in quick on mgmt proto tcp from 10.0.0.0/24 to (self) port 443
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
