Endians Firewall versions 2.x through 3.3.25 and the Community edition contain a stored cross‑site scripting flaw in the group parameter of /cgi-bin/proxygroup.cgi. An attacker who is authenticated and has permission to create proxy groups can inject arbitrary JavaScript that is persisted and run whenever other users view the affected page. The impact includes potential theft of session data, defacement, or execution of further attacks within the victim’s browser context, thereby compromising confidentiality, integrity, and potentially availability of the web interface.

The vulnerability affects Endian Firewall products across multiple major releases, including version 2.1.2, 2.4, 3.3.25 and the Community edition. All installations of these firmware builds before the fix are susceptible.

The vulnerability is rated moderate (CVSS 5.1) with an EPSS score of less than 1% and is not listed in CISA's KEV catalog, indicating a relatively low likelihood of widespread exploitation. However, because the attack requires authenticated administrative privileges to create a malicious proxy group, the risk remains significant for organizations with permissive user roles or poorly managed privileges. The exploit path is straightforward: an authorized user submits a specially crafted group value, which is stored and later rendered unescaped in the web UI for any users who access the proxy group page.