Bug #16414
closedMultiple potential vulnerabilities in the Suricata package
100%
Description
There are multiple potential vulnerabilities in the Suricata package:
Reflected cross-site scripting: In /usr/local/www/suricata/suricata_filecheck.php, the value of the filehash parameter is printed back to the user without encoding.
Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34175
File enumeration: In /usr/local/www/suricata/suricata_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related characters/strings before being used to check if a file exists. While the contents of the file cannot be read, the server reveals whether a file exists.
Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34176
Stored cross-site scripting: In /usr/local/www/suricata/suricata_flow_stream.php, the value of the policy_name parameter is printed back to the user without encoding.
Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34177
Stored cross-site scripting: In /usr/local/www/suricata/suricata_app_parsers.php, the value of the policy_name parameter is printed back to the user without encoding.
Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34178
       Updated by Jim Pingle about 2 months ago
      Updated by Jim Pingle about 2 months ago
      
    
    - Status changed from New to Resolved
- % Done changed from 0 to 100
MR Merged
       Updated by Jim Pingle about 2 months ago
      Updated by Jim Pingle about 2 months ago
      
    
    - Private changed from Yes to No
New package build is now published and available for Plus 25.07.1, Plus 25.07, CE 2.8.1, and CE 2.8.0.