Project

General

Profile

Actions
Copy link

Bug #16414

closed

Multiple potential vulnerabilities in the Suricata package

Added by Jim Pingle 6 days ago. Updated 2 days ago.

Status:
Resolved
Priority:
High
Assignee:
Jim Pingle
Category:
Suricata
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

There are multiple potential vulnerabilities in the Suricata package:

Reflected cross-site scripting: In /usr/local/www/suricata/suricata_filecheck.php, the value of the filehash parameter is printed back to the user without encoding.

Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34175

File enumeration: In /usr/local/www/suricata/suricata_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related characters/strings before being used to check if a file exists. While the contents of the file cannot be read, the server reveals whether a file exists.

Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34176

Stored cross-site scripting: In /usr/local/www/suricata/suricata_flow_stream.php, the value of the policy_name parameter is printed back to the user without encoding.

Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34177

Stored cross-site scripting: In /usr/local/www/suricata/suricata_app_parsers.php, the value of the policy_name parameter is printed back to the user without encoding.

Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34178

Actions
Copy link

Also available in: Atom PDF