vulnerability
pfSense: pfSense-SA-24_03.webgui: Multiple XSS vulnerabilities in the WebGUI
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:N/C:P/I:P/A:N) | 04/22/2024 | 04/24/2024 | 02/18/2025 |
Description
Multiple potential Cross-Site Scripting (XSS) vulnerabilities were found in
PHP error display formatting.
PHP error messages are plain text, not HTML, but the GUI formats them as HTML
when displaying errors in-line on all pages. The PHP Error log display function
on crash_reporter.php also also displays the PHP Error log file content without
encoding.
Additionally, PHP prints function arguments in the stack trace which may contain
user input.
This problem is present on pfSense Plus version 23.09.1, pfSense CE version
2.7.2, and earlier versions of both.
Combined, these issues have a potential to lead to an XSS if the user can login,
trigger a PHP error, and influence the arguments displayed in the stack trace.
Due to the lack of proper encoding on the affected output susceptible to XSS,
arbitrary JavaScript could be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.
Only the first 15 characters of user input are printed in the function
arguments, severely limiting the potential exposure.
Solution
References
- URL-https://docs.netgate.com/downloads/pfSense-SA-24_03.webgui.asc
- URL-https://docs.netgate.com/pfsense/en/latest/development/system-patches.html
- URL-https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html
- URL-https://redmine.pfsense.org/issues/15263
- URL-https://redmine.pfsense.org/issues/15264
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.