A command-injection vulnerability exists in auth.inc via system_groupmanager.php
using the 'members' parameter. This allows an authenticated WebGUI user with
privileges for system_groupmanager.php to execute commands in the context of the
A user on pfSense version 2.3.1_1 or earlier, granted limited access to the
pfSense web configurator GUI including access to system_groupmanager.php could
leverage these vulnerabilities to gain increased privileges, read other files,
execute commands, or perform other alterations.
Note users with access to the group manager almost always have full admin rights,
and can grant themselves such rights if they do not already have them.
This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands.