Login Sign Up

CVE-2019-25430

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability in the vpn_users endpoint. Unauthenticated attackers can inject malicious JavaScript via crafted username parameters in POST requests, potentially compromising victim browsers. This affects all deployments running the vulnerable version.

💻 Affected Systems

Products:
  • Comodo Dome Firewall
Versions: 2.7.0
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default configuration of the vpn_users endpoint.

📦 What is this software?

Dome Firewall by Comodo

View all CVEs affecting Dome Firewall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users.

🟠

Likely Case

Attackers would typically use this to steal session cookies or credentials from administrators who click malicious links.

🟢

If Mitigated

With proper input validation and output encoding, the vulnerability would be prevented entirely.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available on Exploit-DB, making this easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.0 or later

Vendor Advisory: https://cdome.comodo.com/firewall/

Restart Required: Yes

Instructions:

1. Download the latest version from Comodo's website. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart the firewall service.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block malicious script patterns in username parameters.

Input Validation Filter

all

Add input validation to reject username parameters containing script tags or JavaScript patterns.

🧯 If You Can't Patch

  • Restrict access to the firewall management interface to trusted IP addresses only.
  • Implement Content Security Policy (CSP) headers to prevent script execution from untrusted sources.

🔍 How to Verify

Check if Vulnerable:

Test by sending a POST request to /vpn_users with a username parameter containing a simple script payload like <script>alert('test')</script> and checking if it executes.

Check Version:

Check the firewall web interface or CLI for version information; should show 2.8.0 or higher.

Verify Fix Applied:

After patching, repeat the test with the same payload; the script should not execute and should be properly sanitized.

📡 Detection & Monitoring

Log Indicators:

  • POST requests to /vpn_users with script-like content in username parameters
  • Unusual JavaScript execution in firewall logs

Network Indicators:

  • HTTP traffic containing script payloads in POST data to the firewall management interface

SIEM Query:

source="firewall_logs" AND method="POST" AND uri="/vpn_users" AND username CONTAINS "<script>"

📊 Metadata

CVE ID: CVE-2019-25430
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: February 19, 2026
Last Updated: February 19, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25430, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)