CVE-2025-13938

Published: Dec 4, 2025Modified: Dec 10, 2025

4.8

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: 5d1c2695-1a31-4499-88ae-e847036fd7e3 (Secondary)

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Autotask Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

Affected (3)

Products: Watchguard: Fireware

Watchguard

1 product

Fireware

Configuration A

1 vulnerable · 6 platform

Vulnerable Software	Affected Versions
Watchguard Fireware	From 2025.1 to 2025.1.3

Running on/with	Platform Versions
Watchguard Firebox T115 W	All versions
Watchguard Firebox T125	All versions
Watchguard Firebox T125 W	All versions
Watchguard Firebox T145	All versions
Watchguard Firebox T145 W	All versions
Watchguard Firebox T185	All versions

Configuration B

1 vulnerable · 25 platform

Vulnerable Software	Affected Versions
Watchguard Fireware	From 12.0.0 to 12.11.5

Running on/with	Platform Versions
Watchguard Firebox M270	All versions
Watchguard Firebox M290	All versions
Watchguard Firebox M370	All versions
Watchguard Firebox M390	All versions
Watchguard Firebox M440	All versions
Watchguard Firebox M4600	All versions
Watchguard Firebox M470	All versions
Watchguard Firebox M4800	All versions
Watchguard Firebox M5600	All versions
Watchguard Firebox M570	All versions
Watchguard Firebox M5800	All versions
Watchguard Firebox M590	All versions
Watchguard Firebox M670	All versions
Watchguard Firebox M690	All versions
Watchguard Firebox Nv5	All versions
Watchguard Firebox T20	All versions
Watchguard Firebox T25	All versions
Watchguard Firebox T40	All versions
Watchguard Firebox T45	All versions
Watchguard Firebox T55	All versions
Watchguard Firebox T70	All versions
Watchguard Firebox T80	All versions
Watchguard Firebox T85	All versions
Watchguard Fireboxcloud	All versions
Watchguard Fireboxv	All versions

Configuration C

1 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Watchguard Fireware	From 12.5 to 12.5.14

Running on/with	Platform Versions
Watchguard Firebox T15	All versions
Watchguard Firebox T35	All versions

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00023

Source: 5d1c2695-1a31-4499-88ae-e847036fd7e3

Vendor Advisory

Timeline

No history available yet.