CVE-2019-25389 – This reflected cross-site scripting vulnerabili... (How to Fix)

Q: What is the severity of CVE-2019-25389?

CVE-2019-25389 has a CVSS score of 6.1 (MEDIUM). This reflected cross-site scripting vulnerability in Smoothwall Express allows unauthenticated attackers to inject malicious JavaScript into users' browsers by manipulating the MACHINES parameter in requests to timedaccess.cgi. Attackers can craft malicious URLs that, when visited by authenticated users, execute arbitrary scripts in their browser context. All users of affected Smoothwall Express versions are vulnerable to this attack.

📋 TL;DR

This reflected cross-site scripting vulnerability in Smoothwall Express allows unauthenticated attackers to inject malicious JavaScript into users' browsers by manipulating the MACHINES parameter in requests to timedaccess.cgi. Attackers can craft malicious URLs that, when visited by authenticated users, execute arbitrary scripts in their browser context. All users of affected Smoothwall Express versions are vulnerable to this attack.

💻 Affected Systems

Products:

Smoothwall Express

Versions: 3.1-SP4-polar-x86_64-update9

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation of the specified version. The timedaccess.cgi endpoint is typically accessible to authenticated users.

📦 What is this software?

Smoothwall Express by Smoothwall

View all CVEs affecting Smoothwall Express →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking of authenticated users, credential theft, or performing unauthorized actions within the Smoothwall interface.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, or if the vulnerable endpoint is not internet-facing.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available on Exploit-DB (ID: 46333). Attack requires user interaction (clicking malicious link) but no authentication to the Smoothwall system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://www.smoothwall.org

Restart Required: No

Instructions:

Check Smoothwall.org for security updates. If no patch is available, apply workarounds or upgrade to a newer version if one exists.

🔧 Temporary Workarounds

Input Validation Filter

linux

Add input validation to filter script tags and JavaScript from MACHINES parameter

Modify timedaccess.cgi to sanitize MACHINES parameter input

Web Application Firewall Rule

all

Block requests containing script patterns in MACHINES parameter

Add WAF rule to detect and block XSS payloads in URL parameters

🧯 If You Can't Patch

Restrict access to timedaccess.cgi endpoint using firewall rules or access controls
Implement Content Security Policy headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Test by accessing timedaccess.cgi with a simple XSS payload in MACHINES parameter: /cgi-bin/timedaccess.cgi?MACHINES=<script>alert('test')</script>

Check Version:

cat /etc/smoothwall/version

Verify Fix Applied:

Test the same payload after applying fixes - script should not execute and input should be properly sanitized

📡 Detection & Monitoring

Log Indicators:

HTTP requests to timedaccess.cgi with script-like content in MACHINES parameter
Unusual length or character patterns in URL parameters

Network Indicators:

HTTP GET requests containing <script> tags or JavaScript functions in URL parameters
Requests to timedaccess.cgi from unexpected sources

SIEM Query:

source="web_logs" AND uri="*/timedaccess.cgi*" AND (uri="*<script>*" OR uri="*javascript:*" OR uri="*onload=*" OR uri="*onerror=*")

📊 Metadata

CVE ID: CVE-2019-25389

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: February 16, 2026

Last Updated: February 20, 2026

🔗 References

http://www.smoothwall.org Product
https://www.exploit-db.com/exploits/46333 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/smoothwall-express-timedaccesscgi-cross-site-scrip Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25389, you might also want to check these: