{"id":"CVE-2019-25374","details":"OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough_networks parameter in vpn_ipsec_settings.php. Attackers can craft POST requests with JavaScript payloads in the passthrough_networks parameter to execute arbitrary code in users' browsers.","modified":"2026-04-10T04:17:22.774986Z","published":"2026-02-15T14:16:07.243Z","references":[{"type":"WEB","url":"https://opnsense.org"},{"type":"ADVISORY","url":"https://forum.opnsense.org/index.php?topic=11469.0"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-vpnipsecsettingsphp"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/46351"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opnsense/core","events":[{"introduced":"0"},{"last_affected":"33279d1d2410a4bfa2896efd2f033b8234396ad8"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"19.1"}]}}],"versions":["15.1","15.1.1","15.1.10","15.1.10.2","15.1.11","15.1.11.1","15.1.11.2","15.1.11.3","15.1.11.4","15.1.12","15.1.2","15.1.3","15.1.4","15.1.5","15.1.6","15.1.6.1","15.1.7","15.1.7.1","15.1.7.2","15.1.8","15.1.8.1","15.1.8.2","15.1.8.3","15.1.8.4","15.1.9","15.1.9.1","15.1.9.2","15.7","16.7.a","16.7.b","16.7.r","17.1.a","17.1.b","17.1.r","17.7.a","17.7.b","17.7.r","18.1.a","18.1.b","18.1.r","18.7.a","18.7.b","18.7.r","19.1.a","19.1.b","19.1.r"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-25374.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}