Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dhcp/fixed_leases/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
AnalysisAI
Endian Firewall 3.3.25 and earlier contains stored cross-site scripting (XSS) in the DHCP fixed leases management interface, where the remark parameter fails to sanitize user input. An authenticated attacker can inject malicious JavaScript into the remark field at /manage/dhcp/fixed_leases/ that persists in the application and executes in the browsers of other administrators viewing the same page, enabling session hijacking, credential theft, or unauthorized configuration changes. No public exploit code or active exploitation has been confirmed; however, the vulnerability requires only low-privilege authentication and normal user interaction to trigger.
Technical ContextAI
This is a classic stored cross-site scripting (CWE-79) vulnerability in a web-based network appliance management interface. The Endian Firewall administrative dashboard accepts user-supplied input in the remark field of DHCP fixed lease entries without proper output encoding or input validation. When the remarks are displayed to other authenticated users via the /manage/dhcp/fixed_leases/ endpoint, the attacker-controlled JavaScript executes in the victim's browser context with the same privileges as the authenticated session. The vulnerability affects Endian Firewall Community edition version 3.3.25 and all prior releases, indicating that the remark parameter processing logic has not implemented context-appropriate HTML entity encoding or content security policy protections.
RemediationAI
Upgrade Endian Firewall to a patched version released after 3.3.25. Consult the official Endian help center and the VulnCheck advisory for the specific fixed version number and upgrade instructions, as exact patch version information is not independently confirmed in the provided data. In the interim, restrict administrative access to the Endian Firewall management console to trusted users only, implement network-level access controls to limit who can reach the management interface, and consider deploying a web application firewall (WAF) rule to block JavaScript injection patterns in the remark parameter. Additionally, educate administrators not to click untrusted links or visit the DHCP fixed leases page from untrusted sources while logged into the appliance.
More in Firewall Community
View allEndian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m
Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar
Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi
Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t
Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18284