WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Blocked Sites List

Advisory ID

WGSA-2025-00002

CVE

CVE-2025-1239

Impact

Medium

Status

Resolved

Product Family

Firebox

Published Date

2025-02-13

Updated Date

2025-02-21

Workaround Available

False

CVSS Score

4.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

A stored cross-site scripting (XSS) vulnerability exists in the management interface of WatchGuard Firebox appliances via the Blocked Sites list. An authenticated remote attacker with administrator privileges could exploit this vulnerability to execute arbitrary JavaScript code in the Firebox management interface of another management user.

Affected

This issue affects Fireware OS: from 12.0 up to and including 12.5.12+701324, from 12.6 up to and including 12.11.

Resolution

Resolved in Fireware OS 12.11.1.

Credits

Simone Paganessi (https://www.linkedin.com/in/simonepaganessi)

Advisory Product List

Product Family	Product Branch	Product List
Firebox	Fireware OS 12.5.x	T15, T35
Firebox	Fireware OS 12.x	T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV

Lista degli avvisi

Go to