Reflected Cross-Site Scripting (XSS) on Anon Proxy Server
Anon Proxy Server v0.104.
INCIBE has coordinated the disclosure of three medium-severity vulnerabilities affecting Anon Proxy Server, a fast proxy server with HTTP, HTTPS, and SOCKS caching. The vulnerabilities were discovered by Rafael Pedrero.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vectors, and CWE vulnerability type:
- From CVE-2025-41355 to CVE-2025-41357: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
These vulnerabilities have been fixed in the latest version.
Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. The relationship between the affected parameters and their endpoints is detailed below:
- CVE-2025-41355: 'port' and 'proxyPort' parameters in '/anon.php'.
- CVE-2025-41356: 'host' parameter in '/diagconnect.php'.
- CVE-2025-41357: 'host' parameter in '/diagdns.php'.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2025-41355 | Media | No | Anon Proxy Server |
| CVE-2025-41356 | Media | No | Anon Proxy Server |
| CVE-2025-41357 | Media | No | Anon Proxy Server |
