A reflected XSS attack is possible using the id paramter on vpn_pppoe_edit.php and
other similar pages. This allows injection of arbitrary HTML or scripting code to
be presented to the user's browser for execution.
If a user is logged into their firewall and they follow a link which points
to an affected page on their firewall including an attack, they could be subjected
to an XSS or other similar attack which relies on arbitrary injected code.