Bug #16411: Potential XSS in HAProxy Package - pfSense Packages - pfSense bugtracker

Actions

Copy link

Bug #16411

closed

Potential XSS in HAProxy Package

Added by Jim Pingle 7 days ago. Updated 3 days ago.

Status:

Resolved

Priority:

High

Assignee:

Jim Pingle

Category:

haproxy

Target version:

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Affected Version:

Affected Plus Version:

Affected Architecture:

Description

There is a potential reflected cross-site scripting vulnerability in the HAProxy package:

/usr/local/www/haproxy/haproxy_stats.php displays the value of the showsticktablecontent GET parameter without encoding.

Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34172

While looking at that, I also found that the showstatresolvers code path references $sticktablename but it isn't relevant on that code path. The only possible item to display is globalresolvers, it doesn't need to use any user input for that action.

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense » pfSense Packages

Custom queries

Bug #16411

Potential XSS in HAProxy Package

Updated by Jim Pingle 3 days ago

Updated by Jim Pingle 3 days ago

Updated by Jim Pingle 3 days ago

Updated by Jim Pingle 3 days ago