pfSense: pfSense-SA-21_02.captiveportal: XSS vulnerability in the WebGUI

A Cross-Site Scripting (XSS) vulnerability was found in Captive Portal,
a component of pfSense CE and pfSense Plus software, on pfSense CE
version 2.5.1, pfSense Plus version 21.02.2, and earlier versions of both.

The Captive Portal page presented to clients at login did not validate the
contents of the redirurl field, nor did it encode the output when passed an
arbitrary value, leading to a possible XSS.

If a logged-in captive portal user visits a manually crafted URL for the Captive
Portal login page which contains a malicious value for redirurl, and then
follows the resulting link, it could lead to arbitrary JavaScript code being
executed in their browser. This is possible due to the lack of proper encoding
on the affected parameters susceptible to XSS. The user's session cookie or
other information from the session may be compromised.

Note that has no effect on the security of the firewall or Captive Portal system
itself as this only applies to Captive Portal user sessions and the client web
browser. The Captive Portal login session itself is restricted by IP address
and, by default, also by MAC address. Thus the user's Captive Portal login
session could not be compromised via JavaScript, but there may be other client
and/or browser-specific concerns.