Bug #16414
Updated by Jim Pingle 3 days ago
There are multiple potential vulnerabilities in the Suricata package: Reflected cross-site scripting: In @/usr/local/www/suricata/suricata_filecheck.php@, the value of the @filehash@ parameter is printed back to the user without encoding. Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34175 File enumeration: In @/usr/local/www/suricata/suricata_ip_reputation.php@, the value of the @iplist@ parameter is not sanitized of directory traversal-related characters/strings before being used to check if a file exists. While the contents of the file cannot be read, the server reveals whether a file exists. Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34176 Stored cross-site scripting: In @/usr/local/www/suricata/suricata_flow_stream.php@, the value of the @policy_name@ parameter is printed back to the user without encoding. Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34177 Stored cross-site scripting: In @/usr/local/www/suricata/suricata_app_parsers.php@, the value of the @policy_name@ parameter is printed back to the user without encoding. Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34178