pfSense: pfSense-SA-15_01.webgui: Multiple Cross-Site Request Forgery protection bypass vulnerabilities in the pfSense WebGUI
Description
Multiple Cross-Site Scripting vulnerabilities were discovered in the pfSense WebGUI during a security audit. * Multiple XSS in System > Advanced, Notifications page. * XSS in captive portal status widget * XSS in edit.php Due to the lack of encoding on the affected actions and pages, an attacker could cause an administrator's browser session to trigger an unwanted action by getting them to browse to a crafted URL.
Solution(s)
- pfsense-upgrade-latest
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center