CVE-2025-41357

| EUVD-2025-209141 MEDIUM
2026-03-31 INCIBE
5.1
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 31, 2026 - 09:15 vuln.today
EUVD ID Assigned
Mar 31, 2026 - 09:15 euvd
EUVD-2025-209141
CVE Published
Mar 31, 2026 - 08:58 nvd
MEDIUM 5.1

Tags

XSS PHP

Description

Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. It affects 'host' parameter in '/diagdns.php' endpoint.

Analysis

Reflected Cross-Site Scripting (XSS) in Anon Proxy Server v0.104 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL targeting the 'host' parameter of the /diagdns.php endpoint. An attacker can exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious content. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical Context

Anon Proxy Server is a PHP-based proxy application (CPE: cpe:2.3:a:anon_proxy_server:anon_proxy_server:*:*:*:*:*:*:*:*) that provides network anonymization services. The vulnerability stems from insufficient input validation and output encoding on the 'host' parameter in the /diagdns.php endpoint, a PHP script responsible for DNS diagnostics. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation-'Cross-site Scripting'). The vulnerable parameter is passed directly to the browser without proper HTML entity encoding or content security controls, allowing attacker-supplied JavaScript payloads to execute in the security context of the affected domain when a victim clicks a crafted link.

Affected Products

Anon Proxy Server version 0.104 and potentially earlier versions are affected. The vulnerability is indexed under CPE cpe:2.3:a:anon_proxy_server:anon_proxy_server:*:*:*:*:*:*:*:*, indicating the flaw may affect multiple releases within the product line. Affected organizations should consult the INCIBE vendor advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-anon-proxy-server for version-specific impact determination and guidance.

Remediation

Upgrade Anon Proxy Server to a patched version released after v0.104 once available from the vendor. In the interim, apply input validation and output encoding to the /diagdns.php 'host' parameter: sanitize all user input against a whitelist of valid hostnames, implement HTML entity encoding for any output reflecting user input, and deploy Content-Security-Policy (CSP) headers to restrict inline script execution. Additionally, review and restrict access to the /diagdns.php endpoint via network-level controls if not required for public use. Refer to https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-anon-proxy-server for vendor-specific remediation guidance and patch release dates.

Priority Score

26
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2025-41357 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy