Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the name parameter to /manage/qos/classes/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
AnalysisAI
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the name parameter in the QoS classes management interface (/manage/qos/classes/), which is executed when other users access the affected page. The vulnerability requires user interaction and authentication, resulting in a CVSS 5.1 score with limited scope of impact; no public exploit code or active exploitation has been confirmed.
Technical ContextAI
This vulnerability exploits improper input validation and output encoding in a web application parameter handler. The QoS (Quality of Service) classes management endpoint fails to sanitize or properly escape user-supplied input in the name parameter before storing it in a backend data store and reflecting it in subsequent page renders. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the root cause, indicating that the application accepts untrusted input without adequate encoding or validation. The attack vector is network-based and requires low attack complexity, but mandates user interaction (UI:P) and prior authentication (PR:L), limiting immediate exposure. The modified scope vector (MSC:X, MSI:L, MSA:N) suggests impact is confined to the integrity of displayed content with limited session scope.
RemediationAI
Upgrade Endian Firewall to a version greater than 3.3.25 if a patched release is available; consult the official Endian Community support portal (https://help.endian.com/hc/en-us/sections/360004371358-Community) for the specific patched version number and installation instructions. Until patching is possible, apply input validation and output encoding controls to the name parameter in the QoS classes interface, ensuring all user-supplied values are HTML-encoded before storage and rendering. Restrict access to the /manage/qos/classes/ endpoint to only necessary administrative users with verified need. Review and implement Content Security Policy (CSP) headers to mitigate XSS payload execution in the affected application.
More in Firewall Community
View allEndian Firewall Community (aka EFW) 3.3.2 allows remote authenticated users to execute arbitrary OS commands via shell m
Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject ar
Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbi
Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS co
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject
Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through t
Directory traversal in Endian Firewall 3.3.25 and earlier allows authenticated users to delete arbitrary files through t
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaS
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18288
GHSA-gqf2-xr8q-xjr3