Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-24_03.webgui: Multiple XSS vulnerabilities in the WebGUI

Free InsightVM Trial No Credit Card Necessary
Watch Demo See how it all works
Back to Search

pfSense: pfSense-SA-24_03.webgui: Multiple XSS vulnerabilities in the WebGUI



Multiple potential Cross-Site Scripting (XSS) vulnerabilities were found in PHP error display formatting. PHP error messages are plain text, not HTML, but the GUI formats them as HTML when displaying errors in-line on all pages. The PHP Error log display function on crash_reporter.php also also displays the PHP Error log file content without encoding. Additionally, PHP prints function arguments in the stack trace which may contain user input. This problem is present on pfSense Plus version 23.09.1, pfSense CE version 2.7.2, and earlier versions of both. Combined, these issues have a potential to lead to an XSS if the user can login, trigger a PHP error, and influence the arguments displayed in the stack trace. Due to the lack of proper encoding on the affected output susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. Only the first 15 characters of user input are printed in the function arguments, severely limiting the potential exposure.


  • pfsense-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center