Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the user parameter to /cgi-bin/proxyuser.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
AnalysisAI
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the user parameter in /cgi-bin/proxyuser.cgi, which is then executed when other users view the affected page. This requires user interaction (page view) but enables session hijacking, credential theft, or administrative action abuse within the firewall's web interface. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
The vulnerability stems from improper input validation and output encoding in a CGI script responsible for proxy user management. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that user-supplied input from the 'user' parameter is not adequately sanitized before being stored in a database or configuration and subsequently reflected in HTML responses without encoding. Endian Firewall is a unified threat management (UTM) appliance running on dedicated hardware or virtual environments, exposing a web-based management interface via CGI scripts. The /cgi-bin/proxyuser.cgi endpoint processes proxy user configurations, making it a logical target for injection attacks if input handling is insufficient.
RemediationAI
Upgrade Endian Firewall to a version newer than 3.3.25 that includes input validation and output encoding fixes for the /cgi-bin/proxyuser.cgi script. Until a patched version is available or deployable, implement network-level access controls to restrict access to the web management interface to trusted administrative networks only, and enforce strong authentication and session management policies. Review audit logs for suspicious user parameter values that may indicate exploitation attempts. For technical details and patched version availability, consult https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-proxyuser-cgi-user-stored-cross-site-scripting and the vendor's support portal at https://help.endian.com/hc/en-us/sections/360004371358-Community.
More in Firewall Community
View allEndian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m
Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar
Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi
Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t
Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18308
GHSA-c849-x89h-q96v