A command-injection vulnerability exists in pkg_mgr_install.php using the 'id'
parameter. This allows an authenticated WebGUI user with privileges for
pkg_mgr_install.php to execute commands in the context of the root user.
A user on pfSense version 2.3.1_1 or earlier, granted limited access to the
pfSense web configurator GUI including access to pkg_mgr_install.php could
leverage these vulnerabilities to gain increased privileges, read other files,
execute commands, or perform other alterations.
Some characters, such as '/' and '-' were filtered, which limits the number of
commands which could be executed using this vulnerability.
This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands.