A command-injection vulnerability exists in firewall_aliases_edit.php. This
allows authenticated WebGUI users with privileges for firewall_aliases_edit.php
to execute commands in the context of the root user.
A user granted limited access to the pfSense web configurator GUI including
access to firewall_aliases_edit.php via the "WebCfg - Firewall:
Alias: Edit page" permission, could leverage this vulnerability to gain
increased privileges, read other files, execute commands, or perform other
This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands.