The vulnerability exists in Endian Firewall versions up to and including 3.3.25. It allows an authenticated attacker to inject arbitrary JavaScript into the DOMAIN parameter of /cgi-bin/smtpdomains.cgi. The injected script is stored on the server and executed whenever other users load the affected page, resulting in a stored cross‑site scripting flaw classified as CWE‑79. Such client‑side code execution could enable the attacker to steal data from the victim’s browser, deface the interface, or serve further malicious payloads. The possibility of session cookie theft or other malicious actions is inferred from the nature of the flaw and is not directly confirmed by the official description.

The affected product family is Endian Firewall, including commercial releases 2.1.2, 2.4, and 3.3.25, as well as the community edition. All these versions expose the /cgi-bin/smtpdomains.cgi endpoint for managing SMTP domain entries. Any installation running one of these releases is vulnerable if the web interface remains accessible to authenticated users with permission to edit domain settings.

The CVSS score of 5.1 indicates a moderate severity level, while the EPSS score of less than 1% suggests a low likelihood of widespread automated exploitation. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, implying no publicly documented exploits. Exploitation requires a valid authenticated session with sufficient privileges to submit a value for the DOMAIN field; the attack vector is therefore an authenticated web‑application vulnerability with client‑side impact.