pfSense: pfSense-SA-16_03.webgui: Stored XSS in the pfSense WebGUI

A Cross-Site Scripting (XSS) vulnerability was found in pkg.php, part of the
pfSense WebGUI, on pfSense 2.3 and earlier versions. pkg.php is used to display
and manage lists of items used by packages. Items in these lists were displayed
without encoding, which could result in a stored XSS if the package did not
validate or sanitize the data when values were stored.

A Cross-Site Scripting (XSS) vulnerability was found in Notice handling, part of
the pfSense WebGUI, affecting pfSense 2.3 only. The firewall displays notices
formed by various areas of the system to notify the user of problems or
significant events. The text of the notices was not encoded before display,
leading to a potential persistent XSS.

Due to the lack of proper encoding on the affected variables and pages,
arbitrary JavaScript can be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.

In the case of the potential Notices XSS vector, the notice text is not directly
controllable by the user, but in certain cases it was filled with an HTML
response from a remote server controlled by the pfSense project.