Description
Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the ADDRESS BCC parameter to /cgi-bin/smtprouting.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Stored cross‑site scripting (CWE‑79)
Action: Patch Now
AI Analysis

Impact

An authenticated attacker can insert arbitrary JavaScript into the ADDRESS BCC field of the smtprouting.cgi script. The content is stored and later executed whenever any user loads the affected page, resulting in a stored cross‑site scripting vulnerability. Because the script runs in the victim’s browser, the attacker can steal session cookies, deface the user interface, or redirect users to malicious sites. This flaw is classified as CWE‑79.

Affected Systems

The weakness affects Endian Firewall releases from version 2.1.2 through 3.3.25 and any earlier builds. All installations that provide the smtprouting.cgi functionality are susceptible, as the issue originates in the processing of the ADDRESS BCC input. Administrators should verify whether they run one of the listed versions and identify any smtprouting configuration entries that contain unsanitized user input.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the lack of a publicly available EPSS score means the exact exploitation likelihood is unknown. Although the vulnerability is not listed in the CISA KEV catalogue, the fact that it requires authentication and persists in configuration data raises the risk of internal compromise. If an attacker with administrative privileges accesses the system, the stored JavaScript can be triggered for every user that visits the page, potentially enabling widespread credential theft or session hijacking within the organization.

Generated by OpenCVE AI on April 2, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Endian Firewall patch or upgrade to a newer release that removes the stored XSS flaw.
  • If immediate upgrade is not possible, disable or restrict the ADDRESS BCC feature in smtprouting.cgi to prevent storing unsanitized input.
  • Audit existing smtprouting.cgi configurations for injected scripts, remove any malicious content, and validate the integrity of the configuration database.
  • Monitor web access logs for suspicious browsing of the smtprouting.cgi page and for any abnormal JavaScript execution.

Generated by OpenCVE AI on April 2, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Endian Firewall version 3.3.25 and prior allow stored cross-site scripting (XSS) via the ADDRESS BCC parameter to /cgi-bin/smtprouting.cgi. An authenticated attacker can inject arbitrary JavaScript that is stored and executed when other users view the affected page.
Title Endian Firewall /cgi-bin/smtprouting.cgi ADDRESS BCC Stored Cross-Site Scripting
First Time appeared Endian
Endian firewall
Weaknesses CWE-79
CPEs cpe:2.3:a:endian:firewall:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:2.4:*:*:*:*:*:*:*
cpe:2.3:a:endian:firewall:3.3.25:*:*:*:*:*:*:*
Vendors & Products Endian
Endian firewall
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Endian Firewall
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-02T16:22:30.054Z

Reserved: 2026-03-30T20:26:18.726Z

Link: CVE-2026-34817

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-02T15:16:50.310

Modified: 2026-04-02T15:16:50.310

Link: CVE-2026-34817

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:20:27Z

Weaknesses