Vulnerability Description
In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly displayed in the input box. This value can be saved as the default value to be displayed to all users when visiting the Status Traffic Totals page, resulting in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Status: Traffic Totals" permissions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pfsense | Pfsense | < 2.8.0 |
Related Weaknesses (CWE)
References
- https://github.com/pfsense/FreeBSD-ports/commit/9e412edf62113303c36c7f7d5a48b0a3Patch
- https://redmine.pfsense.org/issues/16413Issue Tracking
- https://www.vulncheck.com/advisories/netgate-pf-sense-ce-status-traffic-totals-sThird Party Advisory
FAQ
What is CVE-2025-34174?
CVE-2025-34174 is a vulnerability with a CVSS score of 5.4 (MEDIUM). In pfSense CE /usr/local/www/status_traffic_totals.php, the value of the start-day parameter is not ensured to be a numeric value or sanitized of HTML-related characters/strings before being directly ...
How severe is CVE-2025-34174?
CVE-2025-34174 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-34174?
Check the references section above for vendor advisories and patch information. Affected products include: Pfsense Pfsense.