CVE-2025-34174: Netgate pfSense CE Status_Traffic_Totals Package v2.3.2_7 Stored Cross-Site Scripting

Q: What is the severity of CVE-2025-34174?

CVE-2025-34174 is classified as a medium severity vulnerability due to its potential for cross-site scripting attacks.

Q: How do I fix CVE-2025-34174?

To mitigate CVE-2025-34174, sanitize and validate the start-day parameter input before displaying it in the application.

Q: Which versions are affected by CVE-2025-34174?

CVE-2025-34174 affects users of the Netgate pfSense CE Status_Traffic_Totals Package.

Q: What type of vulnerability is CVE-2025-34174?

CVE-2025-34174 is a cross-site scripting (XSS) vulnerability due to improper handling of user input.

Q: What impact can CVE-2025-34174 have on applications?

Exploitation of CVE-2025-34174 may allow attackers to execute malicious scripts in the context of the affected user's session.

Published Sep 9, 2025

Updated

In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.

Affected Software

2 affected components

Netgate pfSense CE Status_Traffic_Totals Package

pfSense pfSense<2.8.0

Remediation

Patch Available

https://github.com/pfsense/FreeBSD-ports/commit/9e412edf62113303c36c7f7d5a48b0a3fb0be893

Event History

Sep 9, 2025

CVE Published

via MITRE·08:02 PM

Data Sourced

via MITRE·08:02 PM

DescriptionWeakness

Data Sourced

via NVD·08:15 PM

RemedyDescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2025-34174?

CVE-2025-34174 is classified as a medium severity vulnerability due to its potential for cross-site scripting attacks.

How do I fix CVE-2025-34174?

To mitigate CVE-2025-34174, sanitize and validate the start-day parameter input before displaying it in the application.

Which versions are affected by CVE-2025-34174?

CVE-2025-34174 affects users of the Netgate pfSense CE Status_Traffic_Totals Package.

What type of vulnerability is CVE-2025-34174?

CVE-2025-34174 is a cross-site scripting (XSS) vulnerability due to improper handling of user input.

What impact can CVE-2025-34174 have on applications?

Exploitation of CVE-2025-34174 may allow attackers to execute malicious scripts in the context of the affected user's session.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.

CVE-2025-34174: Netgate pfSense CE Status_Traffic_Totals Package v2.3.2_7 Stored Cross-Site Scripting

Affected Software

Remediation

Patch Available

Event History

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2025-34174?

How do I fix CVE-2025-34174?

Which versions are affected by CVE-2025-34174?

What type of vulnerability is CVE-2025-34174?

What impact can CVE-2025-34174 have on applications?

Company

Resources

Contact