vulnerability
pfSense: pfSense-SA-23_02.webgui: XSS vulnerability in the WebGUI
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:N/C:P/I:P/A:N) | Feb 15, 2023 | Feb 16, 2023 | Feb 18, 2025 |
Description
A potential Cross-Site Scripting (XSS) vulnerability was found in
system_camanager.php and system_certmanager.php, components of the pfSense Plus
and pfSense CE software GUI.
In both cases, the page did not validate or sanitize the description of CA or
certificate entries when editing and saving existing entries. Existing
validation covered other actions. There are several places around the GUI which
display CA and Certificate descriptions without encoding.
This problem is present on pfSense Plus version 22.05, pfSense CE version
2.6.0, and earlier versions of both.
Due to the lack of proper encoding on the affected parameters susceptible to
XSS, arbitrary JavaScript could be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.
Solution
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.