Endian Firewall versions 3.3.25 and earlier allow attackers who are authenticated to inject arbitrary JavaScript into the "mimetypes" parameter of /cgi-bin/proxypolicy.cgi. This input is stored on the server and executed whenever other users retrieve the affected page, enabling client‑side code execution within the victim’s browser context. The flaw is categorized as a stored cross‑site scripting (CWE‑79) vulnerability and carries a CVSS score of 5.1, indicating a moderate risk level.

The affected products are Endian Firewall engines, specifically versions 2.1.2, 2.4, 3.3.25, and the community edition release captured by the CPE identifiers. Users running any of these versions should verify their deployment against the vulnerability.

Exploitation requires legitimate user credentials on the affected firewall instance, as the vulnerability is triggered only by an authenticated attacker. The EPSS score of less than 1% suggests a low probability of real‑world exploitation under current public data. The flaw is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation has been reported. Nonetheless, because the vulnerability allows arbitrary script execution in the context of privileged users, it can be leveraged for session hijacking, credential theft, or defacement within the internal network. The attack vector is likely a direct POST to the /cgi-bin/proxypolicy.cgi endpoint with a crafted "mimetypes" value, told by the vulnerability description.