VYPR

Firewall

by Endian

CVEs (43)

  • CVE-2026-34811MedApr 2, 2026
    risk 0.42cvss 6.4epss 0.00

    Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/xtaccess.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

  • CVE-2026-34810MedApr 2, 2026
    risk 0.42cvss 6.4epss 0.00

    Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/vpnfw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

  • CVE-2026-34809MedApr 2, 2026
    risk 0.42cvss 6.4epss 0.00

    Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/zonefw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

  • CVE-2026-34808MedApr 2, 2026
    risk 0.42cvss 6.4epss 0.00

    Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/outgoingfw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

  • CVE-2026-34807MedApr 2, 2026
    risk 0.42cvss 6.4epss 0.00

    Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/incoming.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

  • CVE-2026-34806MedApr 2, 2026
    risk 0.42cvss 6.4epss 0.00

    Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/snat.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

  • CVE-2026-34805MedApr 2, 2026
    risk 0.42cvss 6.4epss 0.00

    Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /cgi-bin/dnat.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

  • CVE-2026-34804MedApr 2, 2026
    risk 0.42cvss 6.4epss 0.00

    Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the dscp parameter to /manage/qos/rules/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

  • CVE-2026-34803MedApr 2, 2026
    risk 0.42cvss 6.4epss 0.00

    Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the name parameter to /manage/qos/classes/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

  • CVE-2026-34802MedApr 2, 2026
    risk 0.42cvss 6.4epss 0.00

    Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark user ham spam parameter to /cgi-bin/salearn.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

  • CVE-2026-34801MedApr 2, 2026
    risk 0.42cvss 6.4epss 0.00

    Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dhcp/fixed_leases/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

  • CVE-2026-34800MedApr 2, 2026
    risk 0.42cvss 6.4epss 0.00

    Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the NAME parameter to /cgi-bin/uplinkeditor.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

  • CVE-2026-34799MedApr 2, 2026
    risk 0.42cvss 6.4epss 0.00

    Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the remark parameter to /manage/dnsmasq/hosts/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.

  • CVE-2020-12271KEVApr 27, 2020
    risk 0.25cvss epss 0.43

    A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone.…

  • CVE-2020-15069KEVJun 29, 2020
    risk 0.19cvss epss 0.11

    Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x.

  • CVE-2015-5082Sep 28, 2015
    risk 0.09cvss epss 0.70

    Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi.

  • CVE-2012-4923Sep 15, 2012
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Endian Firewall 2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) createrule parameter to dnat.cgi, (2) addrule parameter to dansguardian.cgi, or (3) PATH_INFO to openvpn_users.cgi.

  • CVE-2024-13973Jul 21, 2025
    risk 0.00cvss epss 0.08

    A post-auth SQL injection vulnerability in WebAdmin of Sophos Firewall versions older than 21.0 MR1 (21.0.1) can potentially lead to administrators achieving arbitrary code execution.

  • CVE-2022-45963Dec 27, 2022
    risk 0.00cvss epss 0.01

    h3c firewall <= 3.10 ESS6703 has a privilege bypass vulnerability.

  • CVE-2021-28130Sep 24, 2021
    risk 0.00cvss epss 0.00

    Dr.Web Firewall 12.5.2.4160 on Windows incorrectly restricts applications signed by Dr.Web. A DLL for a custom payload within a legitimate binary (e.g., frwl_svc.exe) bypasses firewall filters.