Description
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the dscp parameter to /manage/qos/rules/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A direct injection flaw exists in the dscp parameter of the /manage/qos/rules/ endpoint, allowing an authenticated attacker to store malicious JavaScript code. When other users view the affected page, the script is executed in their browsers, enabling the attacker to perform actions such as session hijacking, data theft, or web‑page defacement. The vulnerability is a classic example of stored XSS, classified as CWE‑79.

Affected Systems

The flaw affects Endian Firewall products, specifically versions 3.3.25 and all older releases, including 2.4 and 2.1.2. Any installation that exposes the /manage/qos/rules/ interface to authenticated users is vulnerable.

Risk and Exploitability

The standard CVSS score of 5.1 indicates a medium risk rating, and the vulnerability is not currently listed in the CISA KEV catalog. Because exploitation requires authentication, the attack vector is limited to accounts with management privileges. Once a payload is stored, it automatically runs for any subsequent viewer of the page, increasing the potential impact for users with access to the management interface. No publicly available exploit exploits have been documented; however, the lack of input validation presents a clear opportunity for malicious code injection if an attacker gains legitimate access.

Generated by OpenCVE AI on April 2, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Endian Firewall support site for the latest patch that addresses stored XSS in the dscp parameter and apply it as soon as possible. If a patch is unavailable, restrict access to the /manage/qos/rules/ management console to a minimal set of trusted administrators and enforce strong authentication. Consider enabling a web application firewall or input‑validation rules that block JavaScript code in the dscp field.

Generated by OpenCVE AI on April 2, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the dscp parameter to /manage/qos/rules/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Title Endian Firewall /manage/qos/rules/ dscp Stored Cross-Site Scripting
First Time appeared Endian
Endian firewall
Weaknesses CWE-79
CPEs cpe:2.3:a:endian:firewall:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:2.4:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:3.3.25:*:*:*:*:*:*:*
Vendors & Products Endian
Endian firewall
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Endian Firewall
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-02T15:42:27.349Z

Reserved: 2026-03-30T20:26:18.725Z

Link: CVE-2026-34804

cve-icon Vulnrichment

Updated: 2026-04-02T15:42:16.886Z

cve-icon NVD

Status : Received

Published: 2026-04-02T15:16:47.270

Modified: 2026-04-02T15:16:47.270

Link: CVE-2026-34804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:20:39Z

Weaknesses