VYPR
← All advisories
Medium severityNVD Advisory· Published Oct 1, 2025· Updated Apr 15, 2026

CVE-2025-34182

CVE-2025-34182

Description

In Deciso OPNsense before 25.7.4, when creating an "Interfaces: Devices: Point-to-Point" entry, the value of the parameter ptpid is not sanitized of HTML-related characters/strings. This value is directly displayed when visiting the page/interfaces_assign.php, which can result in stored cross-site scripting. The attacker must be authenticated with at-least "Interfaces: PPPs: Edit" permission. This vulnerability has been addressed by the vendor in the product release notes as "ui: legacy_html_escape_form_data() was not escaping keys only data elements."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in OPNsense Point-to-Point device creation due to unsanitized ptpid parameter, requiring authenticated access with PPP edit permissions.

In OPNsense before version 25.7.4, the creation of a Point-to-Point device entry does not sanitize the ptpid parameter for HTML characters. This value is directly displayed on the interfaces_assign.php page, leading to stored cross-site scripting (XSS). The vendor's fix notes that legacy_html_escape_form_data() was not escaping keys, only data elements [1].

An attacker must be authenticated with at least the "Interfaces: PPPs: Edit" permission. They can craft a malicious ptpid value containing JavaScript, which is stored and later executed when any user visits the interfaces_assign.php page. No additional privileges are required beyond the edit permission.

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, defacement, or other actions within the OPNsense GUI. The vulnerability is classified as medium severity.

The vulnerability is fixed in OPNsense 25.7.4 and later. Users should upgrade to the latest version to mitigate the risk.

References
  1. 25.7 “Visionary Viper” Series — OPNsense documentation

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.