pfSense: pfSense-SA-24_02.webgui: Stored XSS vulnerability in the WebGUI

A potential stored Cross-Site Scripting (XSS) vulnerability was found in
services_acb_settings.php, a component of the Auto Config Backup feature in the
pfSense Plus and pfSense CE software GUI.

The page does not validate or sanitize the value of the "frequency" parameter,
which is stored in config.xml and may be printed without encoding inside a block
of JavaScript code.

This problem is present on pfSense Plus version 23.09.1, pfSense CE version
2.7.2, and earlier versions of both.

Due to the lack of proper encoding on the affected parameters susceptible to
XSS, arbitrary JavaScript could be executed in the user's browser. Because the
value is stored, the attacker could also trick another administrator into
visiting the compromised page. The target user's session cookie or other
information from the session may be compromised.

The user must be logged in, have sufficient privileges to access
services_acb_settings.php, and have privileges to make changes to the
configuration.

Users with access to Auto Config Backup and its settings effectively have full
administrator access, making this a moot point in nearly all cases. However, it
is theoretically possible that a user might only be granted access to the
settings tab and not the tabs which manage configuration files.