Affected Version<\/strong>: <25.2.108
Vulnerability Type<\/strong>: Cross-Site Scripting (CWE-79)
Security Risk<\/strong>: Medium
Vendor<\/strong>: Paessler
Vendor URL<\/strong>: https:\/\/www.paessler.com\/de<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: CVE-2025-67834
CVE Link<\/strong>: https:\/\/www.cve.org\/CVERecord?id=CVE-2025-67834<\/a>
Advisory ID<\/strong>: usd-2025-39<\/p>\n
Description<\/h3>\n
The application does not properly encode or filter user-supplied data, which allows reflective injection of JavaScript code.<\/p>\n
This occurs when the web server embeds input containing JavaScript into HTTP responses without sufficient encoding.
The input is not persistently stored but only temporarily reflected and executed within the browsing context of the user.
To perform a reflected XSS attack, an attacker has to induce the victim to issue a malicious request, for example by providing a prepared link.<\/p>\n
A reflected XSS vulnerability can be exploited in various ways.
A common attack is to steal sensitive information from the user and secretly transmit it to the attackers.
Alternatively, attackers can perform actions with the permissions of the user.<\/p>\n
Proof of Concept<\/h3>\n
The search for sensors with a specific tag is vulnerable for reflected cross-site scripting (XSS) attacks, allowing users to inject malicious JavaScript code into the website.<\/p>\n
This vulnerability could be exploited by inducing administrators to click on malicious links to craft malicious links that, if the payload is successfully triggered, could lead to attackers stealing the administrator''s session cookie or performing administrative actions.
Attackers could utilize techniques such as phishing to persuade a user to click on a malicious link.<\/p>\n
Obtaining a user's session cookie however is only possible if the cookie's HttpOnly flag is not set.<\/p>\n
The following link shows an example of malicious link that exploits this vulnerability. alert(document.domain)<\/strong><\/p>\n is inserted into the website, which opens a popup with the user's session cookie.<\/p>\n The following screenshot shows how the injected JavaScript code opens a popup.<\/p>\n It is recommended to treat all input on the website as potentially dangerous.<\/p>\n Invalid values should not be sanitized and forwarded to the application, but instead rejected. Additionally, all output that is dynamically generated based on user-controlled data should be encoded according to its context. Further details on how to prevent XSS vulnerabilities can be obtained in the XSS Prevention Cheat Sheet by OWASP.<\/p>\n This security vulnerability was identified by Simon Kurz and Tobias Hennhoefer of usd AG.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2025-39 | PRTG Network Monitor 25.2.108 - Reflected XSS Product: PRTG Network MonitorAffected Version: <25.2.108Vulnerability Type: Cross-Site Scripting (CWE-79)Security Risk: MediumVendor: PaesslerVendor URL: https:\/\/www.paessler.com\/deVendor acknowledged vulnerability: YesVendor Status: FixedCVE Number: CVE-2025-67834CVE Link: https:\/\/www.cve.org\/CVERecord?id=CVE-2025-67834Advisory ID: usd-2025-39 Description The application does not properly encode or filter user-supplied data, which allows reflective injection of JavaScript code. This occurs […]<\/p>\n","protected":false},"author":118,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-24793","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24793","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/118"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=24793"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24793\/revisions"}],"predecessor-version":[{"id":24861,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24793\/revisions\/24861"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=24793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
In this case, the payload <\/strong><\/p>\n<\/span>[<\/span>https:\/\/[REDACTED<\/span>]\/<\/span>sensors<\/span>.<\/span>htm<\/span>?<\/span>filter_tags<\/span>=<\/span>@tag<\/span>(<\/span>%<\/span>3<\/span>Cscript<\/span>%<\/span>3<\/span>Ealert<\/span>(<\/span>document<\/span>.<\/span>cookie<\/span>)<\/span>%<\/span>3<\/span>C<\/span>\/<\/span>script<\/span>%<\/span>3<\/span>E<\/span>)<\/span>]<\/span>()<\/span><\/pre>\n<\/div>\n![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/01\/reflected-xss-in-tag-search.png\")
<\/p>\nFix<\/h3>\n
To achieve this, all input should be validated on the server-side.
Where possible, a list of allowed characters should be defined.
The more restrictive a filter can be specified, the better the protection it provides.
Allowlists are especially recommended if input values have a well defined format or a list of valid input values exists.<\/p>\n
The majority of programming languages support standard procedures for encoding meta characters.<\/p>\nReferences<\/h3>\n
\n
Timeline<\/h3>\n
\n
Credits<\/h3>\n