Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/zonefw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
AnalysisAI
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaScript via the remark parameter in /cgi-bin/zonefw.cgi, which persists and executes when other administrators or users access the affected configuration page. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting immediate risk but enabling account compromise and lateral movement within firewall administrative interfaces.
Technical ContextAI
The vulnerability is a classic stored cross-site scripting flaw (CWE-79) in a web-based administrative interface. The /cgi-bin/zonefw.cgi endpoint fails to properly sanitize or encode the remark parameter before storing it in a backend data store and subsequently rendering it in HTTP responses. Because the payload is stored persistently, every subsequent view of the affected zone configuration by any authenticated user triggers script execution in their browser context, bypassing traditional reflected XSS mitigations. Endian Firewall (CPE affected: Endian Firewall versions through 3.3.25) is a network security appliance with a web management console; this vulnerability affects the zone firewall rule management functionality accessible at the /cgi-bin/zonefw.cgi endpoint.
RemediationAI
Upgrade Endian Firewall to a patched version released after 3.3.25. No specific fixed version number is provided in the available data; administrators should check the Endian Community Help Center and official vendor advisories (https://help.endian.com/hc/en-us/sections/360004371358-Community) for the latest patched release. As an interim workaround pending patch deployment, restrict administrative access to /cgi-bin/zonefw.cgi to a minimal set of trusted administrators, monitor for unusual changes to firewall zone remarks, disable browser JavaScript execution for the Endian management console if operationally feasible, and review browser session logs and configuration audit trails for unauthorized modifications. Implement network-level access controls (e.g., firewall rules, VPN, bastion hosts) to limit who can reach the Endian web management interface.
More in Firewall Community
View allEndian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m
Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar
Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi
Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t
Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18300
GHSA-pwj2-g679-jwhx