35 matches found
CVE-2021-27201
CVE-2021-27201 affects Endian Firewall Community (EFW) 3.3.2. The vulnerability allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in a backup comment. The connected sources (NVD, Red Hat, CVE listing) confirm the issue; no remediation details are provided...
CVE-2026-34796
Endian Firewall, up to version 3.3.25, is affected by a command-injection in /cgi-bin/logs_openvpn.cgi via the DATE parameter. The root cause is incomplete regular-expression validation that allows the DATE value to be used in a Perl open() call, enabling authenticated users with low privileges a...
CVE-2026-34819
Endian Firewall is affected by CVE-2026-34819: versions 3.3.25 and earlier are vulnerable to stored XSS via the REMARK parameter in /cgi-bin/openvpnclient.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page. This is ca...
CVE-2026-34791
Endian Firewall versions 3.3.25 and earlier are affected by a command-injection flaw in /cgi-bin/logs_proxy.cgi through the DATE parameter. The value is used to build a file path then passed to a Perl open(), with incomplete regex validation enabling authenticated users to execute arbitrary OS co...
CVE-2026-34794
CVE-2026-34794 affects Endian Firewall versions up to 3.3.25. Authenticated users can execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_ids.cgi. The vulnerability arises because the DATE value constructs a file path that is passed to a Perl open() call, enabled by incomplete r...
CVE-2026-34797
CVE-2026-34797 - Endian Firewall : Endian Firewall versions 3.3.25 and earlier are affected. Authenticated users can run arbitrary OS commands via the DATE parameter in /cgi-bin/logs_smtp.cgi. The value is used to build a file path passed to a Perl open() call, with incomplete regex validation en...
CVE-2026-34818
Vulnerability summary (CVE-2026-34818): Endian Firewall versions up to 3.3.25 are affected by a stored XSS in the remark parameter of /manage/dnsmasq/localdomains/. An authenticated user can inject JavaScript that is stored and executed when other users view the page. The provided documents speci...
CVE-2026-34799
Endian Firewall versions 3.3.25 and earlier are affected by a stored XSS in the remark field of /manage/dnsmasq/hosts/. An authenticated attacker can inject JavaScript that is stored and executed when other users view the page, enabling client-side script execution within the web UI context. The ...
CVE-2026-34816
Endian Firewall 3.3.25 and prior is affected by a stored cross-site scripting (XSS) vulnerability via the domain parameter in /manage/smtpscan/domainrouting/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page. The descrip...
CVE-2026-34790
Endian Firewall versions 3.3.25 and prior are affected. The vulnerability resides in /cgi-bin/backup.cgi where the remove ARCHIVE parameter is used to build a file path without sanitizing directory traversal sequences, and the path is passed to unlink(). This allows an authenticated user to delet...
CVE-2026-34793
CVE-2026-34793 affects Endian Firewall versions 3.3.25 and prior. The flaw resides in the /cgi-bin/logs_firewall.cgi endpoint where the DATE parameter is used to build a file path that is then passed to a Perl open() call. Incomplete validation of the DATE parameter enables an authenticated user ...
CVE-2026-34795
Endian Firewall versions up to 3.3.25 are affected by a command injection vulnerability in the CGI endpoint /cgi-bin/logs_log.cgi, exploitable by authenticated users via the DATE parameter. The input is used to build a file path passed to a Perl open() call, with incomplete regular expression val...
CVE-2026-34820
Endian Firewall
CVE-2026-34822
Endian Firewall prior to 3.3.25 is affected by a stored XSS in the new_cert_name parameter of /manage/ca/certificate/. An authenticated attacker can inject JavaScript that is stored and executed when other users view the page. CVE-2026-34822; exploitation details, affected versions, and remediati...
CVE-2026-34823
CVE-2026-34823 affects Endian Firewall prior to version 3.3.25. The issue is a stored XSS in the remark parameter of /manage/password/web/. An authenticated attacker can inject JavaScript that is stored and then executed when other users view the affected page. The vulnerability is confirmed by m...
CVE-2026-34792
CVE-2026-34792 – Endian Firewall : Affects Endian Firewall 3.3.25 and prior. An authenticated user can execute arbitrary OS commands via the DATE parameter to /cgi-bin/logs_clamav.cgi. The DATE value builds a file path that is passed to a Perl open() call, allowing command injection due to incomp...
CVE-2026-34804
Endian Firewall
CVE-2026-34807
CVE-2026-34807 affects Endian Firewall up to version 3.3.25, where a vulnerability in the remark parameter of /cgi-bin/incoming.cgi enables stored XSS. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page. The provided docum...
CVE-2026-34810
Endian Firewall versions up to 3.3.25 are affected by a stored XSS in the remark parameter of /cgi-bin/vpnfw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page. This is described across CVE-2026-34810 records (NVD, CV...
CVE-2026-34817
Endian Firewall contains a stored XSS vulnerability in versions 3.3.25 and earlier. The flaw allows an authenticated attacker to inject JavaScript via the ADDRESS BCC parameter to /cgi-bin/smtprouting.cgi, which is stored and executed when other users view the affected page. CVSS metrics include ...
CVE-2026-34805
Endian Firewall 3.3.25 and prior is affected by a stored XSS in the remark parameter of /cgi-bin/dnat.cgi. An authenticated attacker can inject JavaScript that is stored and executed when other users view the page. No remediation details are provided in the supplied documents.
CVE-2026-34808
Vulnerability summary (CVE-2026-34808) Endian Firewall
CVE-2026-34809
Endian Firewall 3.3.25 and earlier are affected by a stored XSS in the remark parameter of /cgi-bin/zonefw.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored on the page and executed when other users view the affected page. Affected component: the CGI endpoint /cgi-bin/...
CVE-2026-34813
Endian Firewall 3.3.25 and earlier are affected by a stored XSS vulnerability in the /cgi-bin/proxyuser.cgi user parameter. An authenticated attacker can inject JavaScript that is stored and executed when other users view the affected page.
CVE-2026-34814
CVE-2026-34814 affects Endian Firewall up to version 3.3.25. The vulnerability is a stored XSS via the group parameter to /cgi-bin/proxygroup.cgi, allowing an authenticated attacker to inject JavaScript that is later executed when other users view the affected page. The reported impact includes p...
CVE-2026-34821
CVE-2026-34821 affects Endian Firewall up to version 3.3.25. A stored XSS flaw exists in the remark parameter of /manage/vpnauthentication/user/, allowing an authenticated attacker to inject JavaScript that is stored and executed when other users view the page. The provided sources specify affect...
CVE-2026-34800
Endian Firewall 3.3.25 and earlier is affected by a stored XSS in the NAME parameter of /cgi-bin/uplinkeditor.cgi. An authenticated attacker can inject JavaScript that is stored and executed when other users view the affected page. Impact is stored, reflected in user sessions/viewers; CVSS scores...
CVE-2026-34802
CVE-2026-34802 affects Endian Firewall
CVE-2026-34806
CVE-2026-34806 affects Endian Firewall versions 3.3.25 and earlier. The vulnerability arises from the remark parameter sent to /cgi-bin/snat.cgi, enabling an authenticated attacker to perform a stored cross-site scripting (XSS) attack by injecting arbitrary JavaScript that is later executed when ...
CVE-2026-34798
CVE-2026-34798 affects Endian Firewall,
CVE-2026-34801
CVE-2026-34801 : Endian Firewall versions 3.3.25 and earlier are affected by a stored XSS vulnerability in the remark parameter of /manage/dhcp/fixed_leases/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page. No exploita...
CVE-2026-34803
Endian Firewall versions 3.3.25 and earlier are affected by a stored XSS flaw in the name parameter of /manage/qos/classes/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page. Impact is limited to the described stored XSS...
CVE-2026-34812
Endian Firewall prior to 3.3.25 is affected by a stored XSS in the mimetypes parameter of /cgi-bin/proxypolicy.cgi. An authenticated user can inject JavaScript that is stored and executed when other users view the page. CVSS data from sources indicates a network-priority issue with low attack com...
CVE-2026-34815
Endian Firewall (affected: 3.3.25 and earlier) is vulnerable to a stored XSS via the DOMAIN parameter in /cgi-bin/smtpdomains.cgi. An authenticated attacker can inject arbitrary JavaScript that gets stored and executed when other users view the affected page. This is driven by the DOMAIN input ha...
CVE-2026-34811
The CVE concerns Endian Firewall (version 3.3.25 and earlier) where the remark parameter of /cgi-bin/xtaccess.cgi allows stored XSS. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page. Public disclosures from NVD and CVE r...