Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2019-25368

Good to know:

icon
icon

Date: February 15, 2026

OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions.

Severity Score

Related Resources (6)

https://nvd.nist.gov/vuln/detail/CVE-2019-25368
https://forum.opnsense.org/index.php?topic=11469.0
https://www.exploit-db.com/exploits/46351
https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-diagbackupphp
https://opnsense.org
https://www.mend.io/vulnerability-database/CVE-2019-25368

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version https://github.com/opnsense/plugins.git - 19.1.1;https://github.com/opnsense/plugins.git - 19.7.d

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us