CVE-2025-41355

| EUVD-2025-209137 MEDIUM
2026-03-31 INCIBE GHSA-hvcr-3gq9-w43p
5.1
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 31, 2026 - 09:15 euvd
EUVD-2025-209137
Analysis Generated
Mar 31, 2026 - 09:15 vuln.today
CVE Published
Mar 31, 2026 - 08:48 nvd
MEDIUM 5.1

Tags

XSS PHP

Description

Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. It affects 'port' and 'proxyPort' parameters in '/anon.php' endpoint.

Analysis

Reflected Cross-Site Scripting (XSS) in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious URLs targeting the 'port' and 'proxyPort' parameters in the /anon.php endpoint. Successful exploitation enables theft of session cookies and unauthorized actions on behalf of the victim. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical Context

Anon Proxy Server is a PHP-based proxy application that fails to properly sanitize user-supplied input in the 'port' and 'proxyPort' parameters of the /anon.php endpoint. This allows attackers to inject arbitrary HTML and JavaScript that is reflected directly in the HTTP response without adequate output encoding. The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a fundamental flaw in web application input validation and output encoding practices. The reflected nature of this XSS means the malicious payload must be delivered via a crafted URL, but does not require stored persistence on the server.

Affected Products

Anon Proxy Server version 0.104 is affected, as identified by the CPE cpe:2.3:a:anon_proxy_server:anon_proxy_server:*:*:*:*:*:*:*:*. The vulnerability was reported by INCIBE (Spanish National Cybersecurity Institute) via their advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-anon-proxy-server. Version scope and whether earlier or later versions are affected requires confirmation from the vendor.

Remediation

Contact the Anon Proxy Server vendor via the INCIBE advisory channel to obtain a patched version that properly sanitizes and encodes the 'port' and 'proxyPort' parameters in /anon.php. Immediate workarounds include restricting access to the proxy server to trusted networks only, implementing a Web Application Firewall (WAF) rule to detect and block JavaScript payloads in these parameters, and educating users not to click untrusted proxy links. Review the full advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-anon-proxy-server for vendor-provided remediation steps and availability of patched versions.

Priority Score

26
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2025-41355 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy