usd-2025-39 | PRTG Network Monitor 25.2.108 - Reflected XSS

Product: PRTG Network Monitor
Affected Version: <25.2.108
Vulnerability Type: Cross-Site Scripting (CWE-79)
Security Risk: Medium
Vendor: Paessler
Vendor URL: https://www.paessler.com/de
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2025-67834
CVE Link: https://www.cve.org/CVERecord?id=CVE-2025-67834
Advisory ID: usd-2025-39

Description

The application does not properly encode or filter user-supplied data, which allows reflective injection of JavaScript code.

This occurs when the web server embeds input containing JavaScript into HTTP responses without sufficient encoding.
The input is not persistently stored but only temporarily reflected and executed within the browsing context of the user.
To perform a reflected XSS attack, an attacker has to induce the victim to issue a malicious request, for example by providing a prepared link.

A reflected XSS vulnerability can be exploited in various ways.
A common attack is to steal sensitive information from the user and secretly transmit it to the attackers.
Alternatively, attackers can perform actions with the permissions of the user.

Proof of Concept

The search for sensors with a specific tag is vulnerable for reflected cross-site scripting (XSS) attacks, allowing users to inject malicious JavaScript code into the website.

This vulnerability could be exploited by inducing administrators to click on malicious links to craft malicious links that, if the payload is successfully triggered, could lead to attackers stealing the administrator''s session cookie or performing administrative actions.
Attackers could utilize techniques such as phishing to persuade a user to click on a malicious link.

Obtaining a user's session cookie however is only possible if the cookie's HttpOnly flag is not set.

The following link shows an example of malicious link that exploits this vulnerability.
In this case, the payload

alert(document.domain)

is inserted into the website, which opens a popup with the user's session cookie.

[https://[REDACTED]/sensors.htm?filter_tags=@tag(%3Cscript%3Ealert(document.cookie)%3C/script%3E)]()

The following screenshot shows how the injected JavaScript code opens a popup.

Fix

It is recommended to treat all input on the website as potentially dangerous.

Invalid values should not be sanitized and forwarded to the application, but instead rejected.
To achieve this, all input should be validated on the server-side.
Where possible, a list of allowed characters should be defined.
The more restrictive a filter can be specified, the better the protection it provides.
Allowlists are especially recommended if input values have a well defined format or a list of valid input values exists.

Additionally, all output that is dynamically generated based on user-controlled data should be encoded according to its context.
The majority of programming languages support standard procedures for encoding meta characters.

Further details on how to prevent XSS vulnerabilities can be obtained in the XSS Prevention Cheat Sheet by OWASP.

References

Timeline

  • 2025-09-12: Vulnerabilities reported to Paessler.
  • 2025-11-29: Release of PRTG version 25.4.114.1032.
  • 2025-12-17: PRTG Hosted Monitor is upgraded to PRTG version 25.4.114.1032.
  • 2026-01-13: Public disclosure of this vulnerability.

Credits

This security vulnerability was identified by Simon Kurz and Tobias Hennhoefer of usd AG.