Description
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the dscp parameter to /manage/qos/rules/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises from the dscp parameter in the /manage/qos/rules/ page, where user input is stored without proper validation. An attacker with administrative credentials can inject JavaScript that is later executed in the browsers of other users who view that page. This stored cross‑site scripting can lead to session hijacking, credential theft, or page defacement. The underlying weakness is reflected input leading to XSS, identified as CWE‑79.

Affected Systems

Endian Firewall versions 3.3.25 and earlier, including releases 2.1.2, 2.4, and the community edition, are affected. The issue is present in all builds that include the /manage/qos/rules/ endpoint with the dscp parameter unfiltered.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate risk. EPSS below 1% suggests a very low likelihood of current exploitation. The vulnerability is not listed in the KEV catalog. Exploitation requires authentication to the management interface, so the attack vector is limited to users who can log in. Once authenticated, an attacker can persist malicious script that runs on other users’ browsers when they access the same page, enabling client‑side compromise.

Generated by OpenCVE AI on April 7, 2026 at 23:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Endian Firewall to a version that removes the vulnerable dscp handling, such as the latest major release.
  • If an immediate upgrade is not possible, limit access to the /manage/qos/rules/ endpoint to trusted administrators and audit user activity.
  • Implement input validation or a web application firewall to sanitize the dscp parameter and block untrusted JavaScript.

Generated by OpenCVE AI on April 7, 2026 at 23:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Endian firewall Community
CPEs cpe:2.3:a:endian:firewall_community:*:*:*:*:*:*:*:*
Vendors & Products Endian firewall Community

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the dscp parameter to /manage/qos/rules/. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Title Endian Firewall /manage/qos/rules/ dscp Stored Cross-Site Scripting
First Time appeared Endian
Endian firewall
Weaknesses CWE-79
CPEs cpe:2.3:a:endian:firewall:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:2.4:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:3.3.25:*:*:*:*:*:*:*
Vendors & Products Endian
Endian firewall
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Endian Firewall Firewall Community
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-02T15:42:27.349Z

Reserved: 2026-03-30T20:26:18.725Z

Link: CVE-2026-34804

cve-icon Vulnrichment

Updated: 2026-04-02T15:42:16.886Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T15:16:47.270

Modified: 2026-04-07T15:40:40.257

Link: CVE-2026-34804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:55:59Z

Weaknesses