Bug #16413
Updated by Jim Pingle 3 days ago
There is a potential stored cross-site scripting vulnerability in the Status_Traffic_Totals package:
In @/usr/local/www/status_traffic_totals.php@, the value of the @start-day@ parameter is printed back to the user without validation or encoding. This value can be saved as a default when visiting the Status Traffic Totals page.
Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34174