Affected Version<\/strong>: <25.2.108
Vulnerability Type<\/strong>: Cross-Site Scripting (CWE-79)
Security Risk<\/strong>: High
Vendor<\/strong>: Paessler
Vendor URL<\/strong>: https:\/\/www.paessler.com\/de<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Yes
CVE Number<\/strong>: CVE-2025-67834
CVE Link<\/strong>: https:\/\/www.cve.org\/CVERecord?id=CVE-2025-67834<\/a>
Advisory ID<\/strong>: usd-2025-40<\/p>\n
Description<\/h3>\n
The application does not properly encode or filter user-supplied data, which allows reflective injection of JavaScript code.<\/p>\n
This occurs when the web server embeds input containing JavaScript into HTTP responses without sufficient encoding.
The input is not persistently stored but only temporarily reflected and executed within the browsing context of the user.
To perform a reflected XSS attack, an attacker has to induce the victim to issue a malicious request, for example by providing a prepared link.<\/p>\n
A reflected XSS vulnerability can be exploited in various ways.
A common attack is to steal sensitive information from the user and secretly transmit it to the attackers.
Alternatively, attackers can perform actions with the rights of the user.<\/p>\n
Proof of Concept<\/h3>\n
The filters of tables are vulnerable to reflected Cross-Site Scripting (XSS) attacks.
This allows attackers to inject arbitrary JavaScript code into the website by manipulating the URL.
This can be exploited to craft malicious links that when clicked on, will execute the attacker's JavaScript code in the browser of the user.<\/p>\n
As the session cookie does not have the HTTPOnly<\/strong> flag set, attackers can steal the user's session cookie and perform administrative actions.<\/p>\n The following payload injects JavaScript code into the webpage that opens a popup with the user's session cookie as soon as their mouse enters the browser window. The following example shows a malicious link with the payload above.<\/p>\n When a user clicks on the link, the injected JavaScript code is executed in their browser. The following screenshot shows the user's view after they click on the malicious link shown above.<\/p>\n It is recommended to treat all input on the website as potentially dangerous.<\/p>\n Invalid values should not be sanitized and forwarded to the application, but instead rejected. Additionally, all output that is dynamically generated based on user-controlled data should be encoded according to its context. Further details on how to prevent XSS vulnerabilities can be obtained in the XSS Prevention Cheat Sheet by OWASP.<\/p>\n This security vulnerability was identified by Simon Kurz and Tobias Hennhoefer of usd AG.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2025-40 | PRTG Network Monitor 25.2.108 - Reflected XSS Product: PRTG Network MonitorAffected Version: <25.2.108Vulnerability Type: Cross-Site Scripting (CWE-79)Security Risk: HighVendor: PaesslerVendor URL: https:\/\/www.paessler.com\/deVendor acknowledged vulnerability: YesVendor Status: YesCVE Number: CVE-2025-67834CVE Link: https:\/\/www.cve.org\/CVERecord?id=CVE-2025-67834Advisory ID: usd-2025-40 Description The application does not properly encode or filter user-supplied data, which allows reflective injection of JavaScript code. This occurs […]<\/p>\n","protected":false},"author":118,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-24781","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24781","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/118"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=24781"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24781\/revisions"}],"predecessor-version":[{"id":24871,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24781\/revisions\/24871"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=24781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
The payload must be inserted into one of the filters in the URL's query parameter filters<\/strong>.<\/p>\n<\/span>%20onmouseover=alert(document.cookie)%20style='position:absolute;width:100%25;height=100%25;left:0;top:0'<\/span><\/pre>\n<\/div>\n<\/span>[<\/span>https:\/\/[REDACTED<\/span>]\/<\/span>controls<\/span>\/<\/span>table<\/span>.<\/span>htm<\/span>?<\/span>tableid<\/span>=<\/span>sensortable<\/span>&<\/span>content<\/span>=<\/span>sensors<\/span>&<\/span>columns<\/span>=<\/span>sensor<\/span>%<\/span>2<\/span>Cprobegroupdevice<\/span>%<\/span>2<\/span>Cstatus<\/span>%<\/span>2<\/span>Clastvalue<\/span>%<\/span>2<\/span>Cmessage<\/span>%<\/span>2<\/span>Cminigraph<\/span>%<\/span>2<\/span>Cpriority<\/span>%<\/span>2<\/span>Cfavorite<\/span>%<\/span>2<\/span>Csize<\/span>%<\/span>3<\/span>Dhtmllong<\/span>%<\/span>2<\/span>Ccheckbox<\/span>&<\/span>tools<\/span>=<\/span>pause<\/span>%<\/span>2<\/span>Cacknowledge<\/span>%<\/span>2<\/span>Cfave<\/span>%<\/span>2<\/span>Cprio<\/span>%<\/span>2<\/span>Cscan<\/span>%<\/span>2<\/span>Cdelete<\/span>%<\/span>2<\/span>Cedit<\/span>&<\/span>sortby<\/span>=<\/span>priority<\/span>&<\/span>sortable<\/span>=<\/span>true<\/span>&<\/span>refreshable<\/span>=<\/span>true<\/span>&<\/span>tabletitle<\/span>=<\/span>AUTO<\/span>&<\/span>varexpand<\/span>=<\/span>filters<\/span>&<\/span>filters<\/span>=<\/span>words<\/span>!<\/span>sensors<\/span>%<\/span>2<\/span>Cobjects<\/span>!<\/span>data<\/span>-<\/span>filtername<\/span>%<\/span>3<\/span>Dxss<\/span>%<\/span>20<\/span>onmouseover<\/span>=<\/span>alert<\/span>(<\/span>document<\/span>.<\/span>cookie<\/span>)<\/span>%<\/span>20<\/span>style<\/span>=<\/span>'position:absolute;width:100%25;height=100%25;left:0;top:0'<\/span>&<\/span>id<\/span>=<\/span>24264<\/span>]<\/span>()<\/span><\/pre>\n<\/div>\n
By utilizing phishing, attackers could persuade an administrator to click on the link, steal their session cookie and perform critical administrative actions with it.<\/p>\n![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/01\/reflected-xss-alert.png\")
<\/p>\nFix<\/h3>\n
To achieve this, all input should be validated on the server-side.
Where possible, a list of allowed characters should be defined.
The more restrictive a filter can be specified, the better the protection it provides.
Allowlists are especially recommended if input values have a well defined format or a list of valid input values exists.<\/p>\n
The majority of programming languages support standard procedures for encoding meta characters.<\/p>\nReferences<\/h3>\n
\n
Timeline<\/h3>\n
\n
Credits<\/h3>\n