Cross-Site Scripting (XSS) vulnerabilities were found in the dashboard and
widgets, components of the pfSense software WebGUI, on version 2.4.1 and earlier
of the 2.4.x release branch.
* On index.php, the "sequence" parameter component for multiple widget instance
counters was not validated and it was echoed back to the user directly without
encoding. A specially-crafted submission could store an invalid widget
sequence which could be used as an XSS vector.
* On numerous widgets which support multiple instances, the widgetkey parameter
was taken from $_REQUEST and echoed back to the user directly without
encoding, which could be used as an XSS vector.
Due to the lack of proper encoding on the affected variable susceptible to XSS,
cookie or other information from the session may be compromised.