Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-16_03.webgui: Stored XSS in the pfSense WebGUI

Back to Search

pfSense: pfSense-SA-16_03.webgui: Stored XSS in the pfSense WebGUI

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
05/09/2016
Created
07/25/2018
Added
08/25/2017
Modified
01/30/2020

Description

A Cross-Site Scripting (XSS) vulnerability was found in pkg.php, part of the pfSense WebGUI, on pfSense 2.3 and earlier versions. pkg.php is used to display and manage lists of items used by packages. Items in these lists were displayed without encoding, which could result in a stored XSS if the package did not validate or sanitize the data when values were stored. A Cross-Site Scripting (XSS) vulnerability was found in Notice handling, part of the pfSense WebGUI, affecting pfSense 2.3 only. The firewall displays notices formed by various areas of the system to notify the user of problems or significant events. The text of the notices was not encoded before display, leading to a potential persistent XSS. Due to the lack of proper encoding on the affected variables and pages, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. In the case of the potential Notices XSS vector, the notice text is not directly controllable by the user, but in certain cases it was filled with an HTML response from a remote server controlled by the pfSense project.

Solution(s)

  • pfsense-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;