The vulnerability is a stored cross‑site scripting flaw in Endian Firewall’s administration interface, specifically the remark field on the /manage/dnsmasq/localdomains/ page. An attacker with authenticated access can inject arbitrary JavaScript; the script is persisted and executed whenever other users view the affected page, potentially leading to cookie theft, session hijacking, defacement, or other malicious actions within the web interface.

The flaw affects Endian Firewall versions up through 3.3.25, including earlier releases such as 2.1.2 and 2.4, as well as the Endian Firewall Community edition. Users running any of these versions should verify whether the /manage/dnsmasq/localdomains/ remark field is enabled and whether they have administrative or editor‑level permissions that allow modification of this field.

The CVSS score of 5.1 indicates moderate severity, and the EPSS score below 1% suggests the vulnerability is unlikely to be exploited widely at present. It is not listed in the CISA KEV catalog, so no publicly known back‑door exploits are documented. However, the requirement for authenticated access means that privileged users could inadvertently or deliberately introduce malicious scripts. An attacker could then compromise the confidentiality or integrity of the web interface for other users. Overall, the risk is moderate to high on systems where privileged users are trusted, and it remains a valid attack vector until patched.