CVE-2025-41356

| EUVD-2025-209139 MEDIUM
2026-03-31 INCIBE GHSA-f28w-75x8-62f8
5.1
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 31, 2026 - 09:15 vuln.today
EUVD ID Assigned
Mar 31, 2026 - 09:15 euvd
EUVD-2025-209139
CVE Published
Mar 31, 2026 - 08:53 nvd
MEDIUM 5.1

Tags

XSS PHP

Description

Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. It affects 'host' parameter in '/diagconnect.php' endpoint.

Analysis

Reflected XSS in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL targeting the 'host' parameter in /diagconnect.php, potentially enabling session hijacking or unauthorized user actions. The vulnerability requires user interaction (clicking a malicious link) and has a CVSS score of 5.1 (medium severity). No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical Context

Anon Proxy Server is a PHP-based web proxy application that fails to properly sanitize user-supplied input in the 'host' parameter of the /diagconnect.php endpoint. The underlying root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic reflected XSS flaw where untrusted user input is reflected in HTTP responses without encoding or validation. This allows an attacker to inject malicious JavaScript that executes in the context of the victim's browser when they visit a crafted URL. The vulnerability is specific to the PHP implementation and the diagnostic connection endpoint, suggesting it may be used for server configuration or status checking features.

Affected Products

Anon Proxy Server version 0.104 and potentially earlier versions are affected, as indicated by the CPE string cpe:2.3:a:anon_proxy_server:anon_proxy_server:*:*:*:*:*:*:*:*. The vulnerability is reported by INCIBE (Spanish National Cybersecurity Institute). Vendor advisory and detailed patch information are available via the INCIBE notice at https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-anon-proxy-server.

Remediation

Organizations running Anon Proxy Server v0.104 should immediately upgrade to the latest patched version released by the vendor. Specific patched version numbers are not independently confirmed from available data; consult the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-anon-proxy-server for the recommended upgrade path. As an interim workaround, disable or restrict access to the /diagconnect.php endpoint until patching is feasible, implement input validation and output encoding for the 'host' parameter, or deploy a Web Application Firewall (WAF) rule to block requests containing JavaScript payloads in that parameter. Validate that any fix properly encodes or sanitizes the 'host' parameter before rendering it in HTML responses.

Priority Score

26
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2025-41356 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy