CVE-2026-34814: Endian Firewall Stored XSS Vulnerability

CVE-2026-34814 Overview

Endian Firewall version 3.3.25 and prior versions contain a stored cross-site scripting (XSS) vulnerability in the proxy group management functionality. The vulnerability exists in the group parameter passed to /cgi-bin/proxygroup.cgi, which fails to properly sanitize user-supplied input before storing and rendering it in the web interface. An authenticated attacker can exploit this flaw to inject arbitrary JavaScript code that persists on the server and executes in the context of other users' browsers when they view the affected page.

Critical Impact

Authenticated attackers can inject persistent malicious JavaScript that executes in the context of other administrators' sessions, potentially leading to session hijacking, credential theft, or unauthorized administrative actions on the firewall.

Affected Products

• Endian Firewall version 3.3.25
• Endian Firewall versions prior to 3.3.25
• Endian Firewall Community Edition (unpatched versions)

Discovery Timeline

• 2026-04-02 - CVE-2026-34814 published to NVD
• 2026-04-02 - Last updated in NVD database

Technical Details for CVE-2026-34814

Vulnerability Analysis

This stored XSS vulnerability (CWE-79) affects the Endian Firewall web administration interface, specifically the proxy group configuration module. The vulnerability allows an authenticated user to inject malicious JavaScript code through the group parameter when creating or modifying proxy groups. Because the input is stored server-side without adequate sanitization and later rendered to other users without proper output encoding, the malicious script executes whenever another administrator views the affected proxy group configuration page.

The attack requires network access to the firewall's administrative interface and valid authentication credentials. However, the impact extends beyond the attacking user's session—the stored payload can affect any administrator who subsequently accesses the compromised page. This persistence makes the vulnerability particularly dangerous in multi-administrator environments, as it enables privilege escalation through session hijacking or administrative action automation.

Root Cause

The root cause of this vulnerability lies in insufficient input validation and output encoding within the /cgi-bin/proxygroup.cgi script. When processing the group parameter, the application fails to sanitize special characters such as <, >, ", and ' that are essential components of HTML and JavaScript syntax. Additionally, when the stored group name is rendered back to the browser, proper HTML entity encoding is not applied, allowing the injected script tags to be interpreted as executable code rather than being displayed as harmless text.

Attack Vector

The attack is conducted over the network against the Endian Firewall web management interface. An authenticated attacker navigates to the proxy group management section and submits a malicious payload through the group parameter. The payload, containing JavaScript code wrapped in script tags or event handlers, is stored in the firewall's configuration database.

When a victim administrator accesses the proxy group listing or configuration page, the stored malicious JavaScript executes within their browser session. This enables the attacker to steal session cookies, perform actions on behalf of the victim, modify firewall rules, create new administrative accounts, or redirect the victim to external phishing pages. The stored nature of this XSS means the attack persists until the malicious entry is removed from the system.

Detection Methods for CVE-2026-34814

Indicators of Compromise

• Unusual JavaScript code or HTML tags present in proxy group names within /cgi-bin/proxygroup.cgi
• Unexpected script execution or browser behavior when accessing the Endian Firewall administrative interface
• Anomalous session activity or unauthorized configuration changes following administrator access to proxy group pages

Detection Strategies

• Review proxy group configurations for entries containing HTML tags, script elements, or JavaScript event handlers
• Monitor web application logs for POST requests to /cgi-bin/proxygroup.cgi containing suspicious payloads in the group parameter
• Deploy web application firewall (WAF) rules to detect and block common XSS patterns in HTTP parameters

Monitoring Recommendations

• Enable detailed logging for all administrative interface interactions on Endian Firewall
• Implement real-time alerting for configuration changes to proxy groups and other sensitive settings
• Conduct periodic audits of stored configuration data for unexpected or malicious content

How to Mitigate CVE-2026-34814

Immediate Actions Required

• Restrict access to the Endian Firewall administrative interface to trusted networks and IP addresses only
• Review all existing proxy group configurations for potentially malicious content and sanitize or remove suspicious entries
• Implement network segmentation to limit exposure of the firewall management interface
• Consider deploying a reverse proxy with XSS filtering capabilities in front of the administrative interface

Patch Information

Consult the Endian Community Support portal for the latest security updates and patches addressing this vulnerability. For detailed vulnerability information, refer to the VulnCheck Advisory on Endian.

Workarounds

• Limit administrative access to the firewall interface by using IP-based access control lists (ACLs)
• Enforce the principle of least privilege by restricting which administrators have access to proxy group configuration
• Implement browser-based XSS protection extensions for administrators who must access the interface
• Consider disabling the proxy group functionality if not actively required until a patch is available

# Example: Restrict administrative interface access via iptables
# Only allow access from trusted management network
iptables -A INPUT -p tcp --dport 10443 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 10443 -j DROP