Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/ipsec/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
AnalysisAI
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaScript via the remark parameter in the IPSec management interface (/manage/ipsec/), which persists and executes when other users access the affected page. This requires user interaction (page view) and only affects session integrity and information disclosure within the administrative interface. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
This vulnerability represents a classic stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Endian Firewall administrative web interface. The remark parameter in the /manage/ipsec/ endpoint fails to properly sanitize or encode user-supplied input before storing it in a backend data store and reflecting it in subsequent HTTP responses. When an authenticated administrator or authorized user later views the IPSec configuration page, the unsanitized JavaScript payload executes in their browser context with the privileges of that user. The vulnerability chain relies on the firewall application's web framework (likely a custom or third-party solution embedded in Endian's management interface) not implementing adequate input validation or output encoding mechanisms.
RemediationAI
Upgrade Endian Firewall to a version posterior to 3.3.25. The vendor advisory and support resources are available at https://help.endian.com/hc/en-us/sections/360004371358-Community; consult Endian's release notes to identify the first patched version. As an interim control pending patch deployment, restrict access to the /manage/ipsec/ management interface using firewall rules or reverse proxy authentication controls, limiting access to a minimal set of trusted administrators. Additionally, review audit logs and administrator activity records to identify any suspicious modifications to IPSec remarks or configuration entries. Input validation and output encoding should be verified in any subsequent patched version before deployment.
More in Firewall Community
View allEndian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m
Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar
Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi
Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t
Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18322
GHSA-3fmq-wjgh-4f33