Endian Firewall versions through 3.3.25 contain a stored cross‑site scripting flaw in /cgi-bin/uplinkeditor.cgi that accepts an unchecked NAME parameter. An attacker with authenticated access can embed arbitrary JavaScript that gets saved into the firewall configuration. When any other authorized user later views the affected page, the stored script executes in their browser, potentially allowing session hijacking, credential theft, or malicious page redirection.

The affected products are Endian Firewall releases 2.1.2, 2.4, and 3.3.25, as well as any earlier 3.3.x line that predates the fix. Administrators operating these firmware versions are at risk, while versions greater than 3.3.25 are expected to have the issue resolved. Users who have the ability to access the web interface are also exposed if they interact with the vulnerable page.

The CVSS score of 5.1 indicates moderate severity, and the lack of a CISA KEV listing suggests that public exploitation is not widespread. Exploitation requires authentication to the web console, reducing the attack surface compared to an unauthenticated vulnerability. Once authenticated, the attacker can inject payloads with no additional privileges, and the impact is limited to the browsers of users who subsequently load the malicious page. Because EPSS data is unavailable, the precise likelihood of real‑world exploitation remains uncertain, but the need for legitimate credentials mitigates widespread risk.