CVE-2019-25379 – This stored and reflected XSS vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2019-25379?

CVE-2019-25379 has a CVSS score of 7.2 (HIGH). This stored and reflected XSS vulnerability in Smoothwall Express allows attackers to inject malicious JavaScript via the urlfilter.cgi endpoint. When exploited, it enables arbitrary script execution in users' browsers, potentially compromising their sessions or stealing credentials. Organizations running vulnerable Smoothwall Express versions are affected.

📋 TL;DR

This stored and reflected XSS vulnerability in Smoothwall Express allows attackers to inject malicious JavaScript via the urlfilter.cgi endpoint. When exploited, it enables arbitrary script execution in users' browsers, potentially compromising their sessions or stealing credentials. Organizations running vulnerable Smoothwall Express versions are affected.

💻 Affected Systems

Products:

Smoothwall Express

Versions: 3.1-SP4-polar-x86_64-update9

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation of the specified version. No special configuration is required for exploitation.

📦 What is this software?

Smoothwall Express by Smoothwall

View all CVEs affecting Smoothwall Express →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to full system compromise.

🟠

Likely Case

Attackers would typically steal session cookies or credentials, perform phishing attacks, or deface the web interface by injecting malicious content.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be neutralized, preventing execution in user browsers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available on Exploit-DB (ID 46333). Attackers need to submit POST requests with malicious payloads in REDIRECT_PAGE or CHILDREN parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to a version beyond 3.1-SP4-polar-x86_64-update9

Vendor Advisory: http://www.smoothwall.org

Restart Required: Yes

Instructions:

1. Check current version. 2. Backup configuration. 3. Apply latest Smoothwall Express update from official repository. 4. Restart services. 5. Verify fix.

🔧 Temporary Workarounds

Input Validation Filter

linux

Implement input validation to sanitize REDIRECT_PAGE and CHILDREN parameters before processing.

Modify urlfilter.cgi to validate and sanitize input parameters using regex patterns

Web Application Firewall

all

Deploy WAF rules to block XSS payloads targeting urlfilter.cgi endpoint.

Configure WAF with XSS detection rules for POST requests to /cgi-bin/urlfilter.cgi

🧯 If You Can't Patch

Implement strict Content Security Policy headers to restrict script execution
Disable or restrict access to urlfilter.cgi endpoint using firewall rules

🔍 How to Verify

Check if Vulnerable:

Test by submitting POST request to /cgi-bin/urlfilter.cgi with XSS payload in REDIRECT_PAGE parameter and checking if script executes.

Check Version:

cat /etc/smoothwall/version

Verify Fix Applied:

After patching, repeat the test with XSS payloads to confirm they are properly sanitized and do not execute.

📡 Detection & Monitoring

Log Indicators:

POST requests to /cgi-bin/urlfilter.cgi containing script tags or JavaScript in parameters
Unusual parameter values in urlfilter.cgi logs

Network Indicators:

HTTP POST requests to urlfilter.cgi with suspicious parameter values
Multiple failed XSS attempts from same source

SIEM Query:

source="web_logs" AND uri="/cgi-bin/urlfilter.cgi" AND (param="REDIRECT_PAGE" OR param="CHILDREN") AND (value CONTAINS "<script>" OR value CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2019-25379

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: February 16, 2026

Last Updated: February 20, 2026

🔗 References

http://www.smoothwall.org Product
https://www.exploit-db.com/exploits/46333 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/smoothwall-express-urlfiltercgi-cross-site-scripti Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25379, you might also want to check these: