Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-14_03.webgui: Reflected XSS

Back to Search

pfSense: pfSense-SA-14_03.webgui: Reflected XSS

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
04/04/2014
Created
07/25/2018
Added
08/25/2017
Modified
03/27/2020

Description

A reflected XSS attack is possible using the id paramter on vpn_pppoe_edit.php and other similar pages. This allows injection of arbitrary HTML or scripting code to be presented to the user's browser for execution. If a user is logged into their firewall and they follow a link which points to an affected page on their firewall including an attack, they could be subjected to an XSS or other similar attack which relies on arbitrary injected code.

Solution(s)

  • pfsense-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;