A reflected XSS attack is possible using the id paramter on vpn_pppoe_edit.php and other similar pages. This allows injection of arbitrary HTML or scripting code to be presented to the user's browser for execution. If a user is logged into their firewall and they follow a link which points to an affected page on their firewall including an attack, they could be subjected to an XSS or other similar attack which relies on arbitrary injected code.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center