Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-15_03.webgui: Multiple XSS Vulnerabilities in the pfSense WebGUI

Back to Search

pfSense: pfSense-SA-15_03.webgui: Multiple XSS Vulnerabilities in the pfSense WebGUI

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
03/05/2015
Created
07/25/2018
Added
08/25/2017
Modified
03/27/2020

Description

Multiple Cross-Site Scripting (XSS) vulnerabilities were discovered in the pfSense WebGUI. * XSS via the "zone" parameter in status_captiveportal.php * XSS via the "if" and "dragtable" parameters in /firewall_rules.php * XSS via the "queue" parameter in firewall_shaper.php * XSS via the "id" parameter in services_unbound_acls.php * XSS via the "filterlogentries_time", "filterlogentries_sourceipaddress", "filterlogentries_sourceport", "filterlogentries_destinationipaddress", "filterlogentries_interfaces", "filterlogentries_destinationport", "filterlogentries_protocolflags" and "filterlogentries_qty" parameters on /diag_logs_filter.php Due to the lack of proper encoding on the affected variables and pages, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. - From the original report: Input passed via the "zone" HTTP GET parameter to "/status_captiveportal.php" script is not properly sanitized before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Input passed via the "if" and "dragtable" HTTP GET parameters to "/firewall_rules.php" script is not properly sanitized before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Input passed via the "queue" HTTP GET parameter to "/firewall_shaper.php" script is not properly sanitized before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Input passed via the "id" HTTP GET parameter to "/services_unbound_acls.php" script is not properly sanitized before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Input passed via the "filterlogentries_time", "filterlogentries_sourceipaddress", "filterlogentries_sourceport", "filterlogentries_destinationipaddress", "filterlogentries_interfaces", "filterlogentries_destinationport", "filterlogentries_protocolflags" and "filterlogentries_qty" HTTP GET parameters to "/diag_logs_filter.php" script is not properly sanitized before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Solution(s)

  • pfsense-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;