Cyber Resilience

CVE-2019-25405

MediumPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 2.4th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25405 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Comodo Dome Firewall. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2019-25405 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Comodo Dome Firewall version 2.7.0. The issue arises from insufficient input validation on the newLicense parameter in the license activation endpoint, enabling attackers to inject malicious scripts via crafted POST requests.

Unauthenticated attackers with network access can exploit this vulnerability by submitting POST requests containing JavaScript payloads in the newLicense field. When administrators access the affected interface, the stored payload executes arbitrary JavaScript in their browsers, potentially leading to session hijacking, data theft, or further compromise. The CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflects its high severity due to remote, low-complexity exploitation with a changed scope.

Resources include a proof-of-concept exploit published on Exploit-DB (https://www.exploit-db.com/exploits/46408) and an advisory from Vulncheck detailing the stored XSS via license activation (https://www.vulncheck.com/advisories/comodo-dome-firewall-stored-cross-site-scripting-via-licenseactivation). Additional references link to the Comodo Dome Firewall product page (https://cdome.comodo.com/firewall/) and a purchase endpoint (https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9278&af=9278), though specific patch or mitigation guidance is not outlined in the available details.

EU & UK References

Vulnerability details

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the newLicense parameter. Attackers can send POST requests to the license activation endpoint with script payloads in the…

more

newLicense field to execute arbitrary JavaScript in administrators' browsers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS in public-facing web interface directly enables T1190 exploitation; injected payloads execute as JavaScript (T1059.007) in admin browsers.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25419Same product: Comodo Dome Firewall
CVE-2019-25422Same product: Comodo Dome Firewall
CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79

Affected Assets

comodo
dome firewall
2.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the newLicense input parameter to reject or sanitize script payloads before they are stored and later rendered.

prevent

Requires filtering of information output (license data displayed to admins) to neutralize stored script content and block execution in the browser.

preventdetect

Can enforce malicious-code inspection or filtering rules on web inputs/outputs to block or alert on XSS payloads at the license activation endpoint.

References