Cross-Site Scripting (XSS) vulnerabilities were found in three pages of the
pfSense software WebGUI on version 2.3.4 and earlier.
* On vendor/filebrowser/browser.php, which is part of the "Browse" function on
diag_edit.php, the "filename" parameter can be used to trigger an XSS if a
file exists with a specially-crafted name.
In order to exploit this, a user must be able to write files with arbitrary
names to the firewall and then coerce an administrator with GUI access to load
that same file in diag_edit.php through the file browser.
* On firewall_nat_edit.php, the "interface" parameter was not validated on save,
so a specially-crafted submission could store an interface with a name that
* On diag_tables.php, the "type" parameter which contains the table name to
display was not being validated against a list of current tables. The
unvalidated parameter was submitted back via AJAX to load the invalid table,
and was presented to the user unencoded.
Due to the lack of proper encoding on the affected variable susceptible to XSS,
cookie or other information from the session may be compromised.